Shafi Goldwasser
1
Mihir Bellare
2
July 2008
1
MIT Computer Science and Artiﬁcial Intelligence Laboratory, The Stata Center, Building 32, 32 Vassar Street,
Cambridge, MA 02139, USA. Email: shafi@theory.lcs.mit.edu ; Web page: http://theory.lcs.mit.edu/ shafi
2
Department of Computer Science and Engineering, Mail Code 0404, University of California
at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. Email: mihir@cs.ucsd.edu ; Web
page: http://wwwcse.ucsd.edu/users/mihir
Foreword
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught
at MIT by Shaﬁ Goldwasser and Mihir Bellare in the summers of 1996–2002, 2004, 2005 and 2008.
Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the
notion of provable security and its usage for the design of secure protocols.
Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate
students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later
edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much
of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the
chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6,
8, 9 and 11, and Sections 10.5 and 7.4.6, are from the Introduction to Modern Cryptography notes by Bellare
and Rogaway [23], and we thank Phillip Rogaway for permission to include this material. Rosario Gennaro (as
Teaching Assistant for the course in 1996) contributed Section 10.6, Section 12.4, Section 12.5, and Appendix D
to the notes, and also compiled, from various sources, some of the problems in Appendix E.
All rights reserved.
Shaﬁ Goldwasser and Mihir Bellare Cambridge, Massachusetts, July 2008.
2
Table of Contents
1 Introduction to Modern Cryptography 11
1.1 Encryption: Historical Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Modern Encryption: A Computational Complexity Based Theory . . . . . . . . . . . . . . . . . . 12
1.3 A Short List of Candidate One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Security Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5 The Model of Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.6 Road map to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Oneway and trapdoor functions 16
2.1 OneWay Functions: Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2 OneWay Functions: Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 (Strong) One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.2 Weak OneWay Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.3 NonUniform OneWay Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.4 Collections Of One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.5 Trapdoor Functions and Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3 In Search of Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.1 The Discrete Logarithm Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3.2 The RSA function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.3 Connection Between The Factorization Problem And Inverting RSA . . . . . . . . . . . . 28
2.3.4 The Squaring Trapdoor Function Candidate by Rabin . . . . . . . . . . . . . . . . . . . . 29
2.3.5 A Squaring Permutation as Hard to Invert as Factoring . . . . . . . . . . . . . . . . . . . 32
2.4 Hardcore Predicate of a One Way Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.1 Hard Core Predicates for General OneWay Functions . . . . . . . . . . . . . . . . . . . . 34
2.4.2 Bit Security Of The Discrete Logarithm Function . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.3 Bit Security of RSA and SQUARING functions . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 OneWay and Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5.1 Examples of Sets of Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3 Pseudorandom bit generators 39
3.0.2 Generating Truly Random bit Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.0.3 Generating PseudoRandom Bit or Number Sequences . . . . . . . . . . . . . . . . . . . . 40
3
4 Goldwasser and Bellare
3.0.4 Provably Secure PseudoRandom Generators: Brief overview . . . . . . . . . . . . . . . . 41
3.1 Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2 The Existence Of A PseudoRandom Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3 Next Bit Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4 Examples of PseudoRandom Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.1 Blum/Blum/Shub PseudoRandom Generator . . . . . . . . . . . . . . . . . . . . . . . . . 47
4 Block ciphers 48
4.1 What is a block cipher? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.2 Data Encryption Standard (DES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.1 A brief history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.3 Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.3 Key recovery attacks on block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.4 IteratedDES and DESX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.4.1 DoubleDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.4.2 TripleDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.4.3 DESX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.4.4 Why a new cipher? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.5 Advanced Encryption Standard (AES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.6 Limitations of keyrecovery based security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.7 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5 Pseudorandom functions 63
5.1 Function families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.2 Random functions and permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2.1 Random functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2.2 Random permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.3 Pseudorandom functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.4 Pseudorandom permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.4.1 PRP under CPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.4.2 PRP under CCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.4.3 Relations between the notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.5 Modeling block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.6 Example Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.7 Security against key recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.8 The birthday attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.9 The PRP/PRF switching lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.10 Sequences of families of PRFs and PRPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.11 Some applications of PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.11.1 Cryptographically Strong Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.11.2 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.11.3 Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.11.4 Identify Friend or Foe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.11.5 PrivateKey Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.12 Historical notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.13 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Cryptography: Lecture Notes 5
6 Privatekey encryption 85
6.1 Symmetric encryption schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.2 Some symmetric encryption schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.2.1 The onetimepad encryption scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.2.2 Some modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.3 Issues in privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.4 Indistinguishability under chosenplaintext attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
6.4.1 Deﬁnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
6.4.2 Alternative interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.4.3 Why is this a good deﬁnition? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.5 Example chosenplaintext attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.5.1 Attack on ECB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.5.2 Any deterministic, stateless schemes is insecure . . . . . . . . . . . . . . . . . . . . . . . . 97
6.5.3 Attack on CBC encryption with counter IV . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.6 INDCPA implies PRCPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.7 Security of CTR modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.7.1 Proof of Theorem ?? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.7.2 Proof of Theorem ?? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.8 Security of CBC with a random IV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.9 Indistinguishability under chosenciphertext attack . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.10 Example chosenciphertext attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.10.1 Attacks on the CTR schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.10.2 Attack on CBC$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.11 Other methods for symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.11.1 Generic encryption with pseudorandom functions . . . . . . . . . . . . . . . . . . . . . . . 116
6.11.2 Encryption with pseudorandom bit generators . . . . . . . . . . . . . . . . . . . . . . . . 117
6.11.3 Encryption with oneway functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.12 Historical notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.13 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
7 Publickey encryption 119
7.1 Deﬁnition of PublicKey Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.2 Simple Examples of PKC: The Trapdoor Function Model . . . . . . . . . . . . . . . . . . . . . . 121
7.2.1 Problems with the Trapdoor Function Model . . . . . . . . . . . . . . . . . . . . . . . . . 121
7.2.2 Problems with Deterministic Encryption in General . . . . . . . . . . . . . . . . . . . . . 121
7.2.3 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
7.2.4 Rabin’s Public key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
7.2.5 Knapsacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.3 Deﬁning Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.3.1 Deﬁnition of Security: Polynomial Indistinguishability . . . . . . . . . . . . . . . . . . . . 125
7.3.2 Another Deﬁnition: Semantic Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7.4 Probabilistic Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4.1 Encrypting Single Bits: Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4.2 Encrypting Single Bits: Hard Core Predicates . . . . . . . . . . . . . . . . . . . . . . . . 128
7.4.3 General Probabilistic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7.4.4 Eﬃcient Probabilistic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
7.4.5 An implementation of EPE with cost equal to the cost of RSA . . . . . . . . . . . . . . . 131
7.4.6 Practical RSA based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6 Goldwasser and Bellare
7.4.7 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
7.5 Exploring Active Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
8 Hash Functions 136
8.1 The hash function SHA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
8.2 Collisionresistant hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
8.3 Collisionﬁnding attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
8.4 Onewayness of collisionresistant hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
8.5 The MD transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.6 Collisionresistance under hiddenkey attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.7 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
9 Message authentication 149
9.1 The setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
9.2 Privacy does not imply authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
9.3 Syntax of messageauthentication schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
9.4 A deﬁnition of security for MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.4.1 Towards a deﬁnition of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.4.2 Deﬁnition of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
9.6 The PRFasaMAC paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
9.7 The CBC MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
9.7.1 The basic CBC MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
9.7.2 Birthday attack on the CBC MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
9.7.3 Length Variability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
9.8 MACing with cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
9.8.1 The HMAC construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
9.8.2 Security of HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
9.8.3 Resistance to known attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
9.9 Universal hash based MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
9.10 Minimizing assumptions for MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
9.11 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10 Digital signatures 168
10.1 The Ingredients of Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.2 Digital Signatures: the Trapdoor Function Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.3 Deﬁning and Proving Security for Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . 170
10.3.1 Attacks Against Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
10.3.2 The RSA Digital Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.3.3 El Gamal’s Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.3.4 Rabin’s Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
10.4 Probabilistic Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
10.4.1 Clawfree Trapdoor Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
10.4.2 Example: Clawfree permutations exists if factoring is hard . . . . . . . . . . . . . . . . . 174
10.4.3 How to sign one bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
10.4.4 How to sign a message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
10.4.5 A secure signature scheme based on claw free permutations . . . . . . . . . . . . . . . . . 177
10.4.6 A secure signature scheme based on trapdoor permutations . . . . . . . . . . . . . . . . . 180
Cryptography: Lecture Notes 7
10.5 Concrete security and Practical RSA based signatures . . . . . . . . . . . . . . . . . . . . . . . . 182
10.5.1 Digital signature schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
10.5.2 A notion of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
10.5.3 Generation of RSA parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
10.5.4 Onewayness problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
10.5.5 Trapdoor signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
10.5.6 The hashtheninvert paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
10.5.7 The PKCS #1 scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
10.5.8 The FDH scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
10.5.9 PSS0: A security improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
10.5.10The Probabilistic Signature Scheme – PSS . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
10.5.11Signing with Message Recovery – PSSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
10.5.12How to implement the hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
10.5.13Comparison with other schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
10.6 Threshold Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10.6.1 Key Generation for a Threshold Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
10.6.2 The Signature Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
11 Key distribution 206
11.1 Diﬃe Hellman secret key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
11.1.1 The protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
11.1.2 Security against eavesdropping: The DH problem . . . . . . . . . . . . . . . . . . . . . . . 206
11.1.3 The DH cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.1.4 Bit security of the DH key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.1.5 The lack of authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
11.2 Session key distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
11.2.1 Trust models and key distribution problems . . . . . . . . . . . . . . . . . . . . . . . . . . 209
11.2.2 History of session key distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
11.2.3 An informal description of the problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
11.2.4 Issues in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
11.2.5 Entity authentication versus key distribution . . . . . . . . . . . . . . . . . . . . . . . . . 212
11.3 Three party session key distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
11.4 Authenticated key exchanges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
11.4.1 The symmetric case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
11.4.2 The asymmetric case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
11.5 Forward secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
12 Protocols 219
12.1 Some two party protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
12.1.1 Oblivious transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
12.1.2 Simultaneous contract signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
12.1.3 Bit Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
12.1.4 Coin ﬂipping in a well . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
12.1.5 Oblivious circuit evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
12.1.6 Simultaneous Secret Exchange Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
12.2 ZeroKnowledge Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
12.2.1 Interactive ProofSystems(IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
12.2.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
8 Goldwasser and Bellare
12.2.3 ZeroKnowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
12.2.4 Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
12.2.5 If there exists one way functions, then NP is in KC[0] . . . . . . . . . . . . . . . . . . . . 226
12.2.6 Applications to User Identiﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
12.3 Multi Party protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
12.3.1 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
12.3.2 Veriﬁable Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
12.3.3 Anonymous Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
12.3.4 Multiparty PingPong Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
12.3.5 Multiparty Protocols When Most Parties are Honest . . . . . . . . . . . . . . . . . . . . . 228
12.4 Electronic Elections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
12.4.1 The Merritt Election Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
12.4.2 A faulttolerant Election Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
12.4.3 The protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
12.4.4 Uncoercibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
12.5 Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
12.5.1 Required properties for Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
12.5.2 A FirstTry Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
12.5.3 Blind signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
12.5.4 RSA blind signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
12.5.5 Fixing the dollar amount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
12.5.6 Online digital cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
12.5.7 Oﬀline digital cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
A The birthday problem 249
A.1 The birthday problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
B Some complexity theory background 251
B.1 Complexity Classes and Standard Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
B.1.1 Complexity Class P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
B.1.2 Complexity Class NP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
B.1.3 Complexity Class BPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
B.2 Probabilistic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
B.2.1 Notation For Probabilistic Turing Machines . . . . . . . . . . . . . . . . . . . . . . . . . . 252
B.2.2 Diﬀerent Types of Probabilistic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 253
B.2.3 NonUniform Polynomial Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
B.3 Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
B.3.1 Assumptions To Be Made . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
B.4 Some Inequalities From Probability Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
C Some number theory background 255
C.1 Groups: Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
C.2 Arithmatic of numbers: +, *, GCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
C.3 Modular operations and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
C.3.1 Simple operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
C.3.2 The main groups: Z
n
and Z
∗
n
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
C.3.3 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
C.4 Chinese remainders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Cryptography: Lecture Notes 9
C.5 Primitive elements and Z
∗
p
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
C.5.1 Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
C.5.2 The group Z
∗
p
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
C.5.3 Finding generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
C.6 Quadratic residues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
C.7 Jacobi Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
C.8 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
C.9 Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
C.9.1 PRIMES ∈ NP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
C.9.2 Pratt’s Primality Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
C.9.3 Probabilistic Primality Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
C.9.4 SolovayStrassen Primality Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
C.9.5 MillerRabin Primality Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
C.9.6 Polynomial Time Proofs Of Primality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
C.9.7 An Algorithm Which Works For Some Primes . . . . . . . . . . . . . . . . . . . . . . . . . 267
C.9.8 GoldwasserKilian Primality Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
C.9.9 Correctness Of The GoldwasserKilian Algorithm . . . . . . . . . . . . . . . . . . . . . . . 268
C.9.10 Expected Running Time Of GoldwasserKilian . . . . . . . . . . . . . . . . . . . . . . . . 269
C.9.11 Expected Running Time On Nearly All Primes . . . . . . . . . . . . . . . . . . . . . . . . 269
C.10 Factoring Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
C.11 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
C.11.1 Elliptic Curves Over Z
n
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
C.11.2 Factoring Using Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
C.11.3 Correctness of Lenstra’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
C.11.4 Running Time Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
D About PGP 275
D.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
D.2 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
D.3 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
D.4 Email compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
D.5 Onetime IDEA keys generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
D.6 PublicKey Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
E Problems 278
E.1 Secret Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
E.1.1 DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
E.1.2 Error Correction in DES ciphertexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
E.1.3 Brute force search in CBC mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
E.1.4 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
E.2 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
E.3 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
E.3.1 Number Theory Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
E.3.2 Relationship between problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
E.3.3 Probabilistic Primality Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
E.4 Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
E.4.1 Simple RSA question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
E.4.2 Another simple RSA question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
10 Goldwasser and Bellare
E.4.3 Protocol Failure involving RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
E.4.4 RSA for paranoids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
E.4.5 Hardness of DiﬃeHellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
E.4.6 Bit commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
E.4.7 Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
E.4.8 Plaintextawareness and nonmalleability . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
E.4.9 Probabilistic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
E.5 Secret Key Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
E.5.1 Simultaneous encryption and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 283
E.6 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.6.1 Birthday Paradox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.6.2 Hash functions from DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.6.3 Hash functions from RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.7 Pseudorandomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.7.1 Extending PRGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
E.7.2 From PRG to PRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
E.8 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
E.8.1 Table of Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
E.8.2 ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
E.8.3 Suggested signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
E.8.4 OngSchnorrShamir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
E.9 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
E.9.1 Unconditionally Secure Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
E.9.2 Secret Sharing with cheaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
E.9.3 Zero–Knowledge proof for discrete logarithms . . . . . . . . . . . . . . . . . . . . . . . . . 286
E.9.4 Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
E.9.5 Electronic Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
E.9.6 Atomicity of withdrawal protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
E.9.7 Blinding with ElGamal/DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
C h a p t e r 1
Introduction to Modern Cryptography
Cryptography is about communication in the presence of an adversary. It encompasses many problems (encryp
tion, authentication, key distribution to name a few). The ﬁeld of modern cryptography provides a theoretical
foundation based on which we may understand what exactly these problems are, how to evaluate protocols that
purport to solve them, and how to build protocols in whose security we can have conﬁdence. We introduce the
basic issues by discussing the problem of encryption.
1.1 Encryption: Historical Glance
The most ancient and basic problem of cryptography is secure communication over an insecure channel. Party
A wants to send to party B a secret message over a communication line which may be tapped by an adversary.
The traditional solution to this problem is called private key encryption. In private key encryption A and B
hold a meeting before the remote transmission takes place and agree on a pair of encryption and decryption
algorithms c and T, and an additional piece of information S to be kept secret. We shall refer to S as the
common secret key. The adversary may know the encryption and decryption algorithms c and T which are
being used, but does not know S.
After the initial meeting when A wants to send B the cleartext or plaintext message m over the insecure
communication line, A encrypts m by computing the ciphertext c = c(S, m) and sends c to B. Upon receipt,
B decrypts c by computing m = T(S, c). The linetapper (or adversary), who does not know S, should not be
able to compute m from c.
Let us illustrate this general and informal setup with an example familiar to most of us from childhood, the
substitution cipher. In this method A and B meet and agree on some secret permutation f: Σ → Σ (where Σ
is the alphabet of the messages to be sent). To encrypt message m = m
1
. . . m
n
where m
i
∈ Σ, A computes
c(f, m) = f(m
1
) . . . f(m
n
). To decrypt c = c
1
. . . c
n
where c
i
∈ Σ, B computes T(f, c) = f
−1
(c
1
) . . . f
−1
(c
n
) =
m
1
. . . m
n
= m. In this example the common secret key is the permutation f. The encryption and decryption
algorithms c and T are as speciﬁed, and are known to the adversary. We note that the substitution cipher is
easy to break by an adversary who sees a moderate (as a function of the size of the alphabet Σ) number of
ciphertexts.
A rigorous theory of perfect secrecy based on information theory was developed by Shannon [192] in 1943.
1
. In
this theory, the adversary is assumed to have unlimited computational resources. Shannon showed that secure
(properly deﬁned) encryption system can exist only if the size of the secret information S that A and B agree
on prior to remote transmission is as large as the number of secret bits to be ever exchanged remotely using the
encryption system.
1
Shannon’s famous work on information theory was an outgrowth of his work on security ([193]).
11
12 Goldwasser and Bellare
An example of a private key encryption method which is secure even in presence of a computationally unbounded
adversary is the one time pad. A and B agree on a secret bit string pad = b
1
b
2
. . . b
n
, where b
i
∈
R
¦0, 1¦ (i.e
pad is chosen in ¦0, 1¦
n
with uniform probability). This is the common secret key. To encrypt a message
m = m
1
m
2
. . . m
n
where m
i
∈ ¦0, 1¦, A computes c(pad, m) = m ⊕ pad (bitwise exclusive or). To decrypt
ciphertext c ∈ ¦0, 1¦
n
, B computes T(pad, c) = pad ⊕c = pad ⊕(m⊕pad) = m. It is easy to verify that ∀m, c
the Pr
pad
[c(pad, m) = c] =
1
2
n
. From this, it can be argued that seeing c gives “no information” about what
has been sent. (In the sense that the adversary’s a posteriori probability of predicting m given c is no better
than her a priori probability of predicting m without being given c.)
Now, suppose A wants to send B an additional message m
t
. If A were to simply send c = c(pad, m
t
), then the
sum of the lengths of messages m and m
t
will exceed the length of the secret key pad, and thus by Shannon’s
theory the system cannot be secure. Indeed, the adversary can compute c(pad, m) ⊕c(pad, m
t
) = m⊕m
t
which
gives information about m and m
t
(e.g. can tell which bits of m and m‘ are equal and which are diﬀerent). To
ﬁx this, the length of the pad agreed upon apriori should be the sum total of the length of all messages ever to
be exchanged over the insecure communication line.
1.2 Modern Encryption: A Computational Complexity Based The
ory
Modern cryptography abandons the assumption that the Adversary has available inﬁnite computing resources,
and assumes instead that the adversary’s computation is resource bounded in some reasonable way. In particular,
in these notes we will assume that the adversary is a probabilistic algorithm who runs in polynomial time.
Similarly, the encryption and decryption algorithms designed are probabilistic and run in polynomial time.
The running time of the encryption, decryption, and the adversary algorithms are all measured as a function
of a security parameter k which is a parameter which is ﬁxed at the time the cryptosystem is setup. Thus,
when we say that the adversary algorithm runs in polynomial time, we mean time bounded by some polynomial
function in k.
Accordingly, in modern cryptography, we speak of the infeasibility of breaking the encryption system and
computing information about exchanged messages where as historically one spoke of the impossibility of breaking
the encryption system and ﬁnding information about exchanged messages. We note that the encryption systems
which we will describe and claim “secure” with respect to the new adversary are not “secure” with respect to a
computationally unbounded adversary in the way that the onetime pad system was secure against an unbounded
adversary. But, on the other hand, it is no longer necessarily true that the size of the secret key that A and
B meet and agree on before remote transmission must be as long as the total number of secret bits ever to
be exchanged securely remotely. In fact, at the time of the initial meeting, A and B do not need to know in
advance how many secret bits they intend to send in the future.
We will show how to construct such encryption systems, for which the number of messages to be exchanged
securely can be a polynomial in the length of the common secret key. How we construct them brings us to
anther fundamental issue, namely that of cryptographic, or complexity, assumptions.
As modern cryptography is based on a gap between eﬃcient algorithms for encryption for the legitimate users
versus the computational infeasibility of decryption for the adversary, it requires that one have available prim
itives with certain special kinds of computational hardness properties. Of these, perhaps the most basic is a
oneway function. Informally, a function is oneway if it is easy to compute but hard to invert. Other primi
tives include pseudorandom number generators, and pseudorandom function families, which we will deﬁne and
discuss later. From such primitives, it is possible to build secure encryption schemes.
Thus, a central issue is where these primitives come from. Although oneway functions are widely believed to
exist, and there are several conjectured candidate oneway functions which are widely used, we currently do
not know how to mathematically prove that they actually exist. We shall thus design cryptographic schemes
assuming we are given a oneway function. We will use the conjectured candidate oneway functions for our
working examples, throughout our notes. We will be explicit about what exactly can and cannot be proved and
is thus assumed, attempting to keep the latter to a bare minimum.
Cryptography: Lecture Notes 13
We shall elaborate on various constructions of privatekey encryption algorithms later in the course.
The development of public key cryptography in the seventies enables one to drop the requirement that A and
B must share a key in order to encrypt. The receiver B can publish authenticated
2
information (called the
publickey) for anyone including the adversary, the sender A, and any other sender to read at their convenience
(e.g in a phone book). We will show encryption algorithms in which whoever can read the public key can send
encrypted messages to B without ever having met B in person. The encryption system is no longer intended
to be used by a pair of prespeciﬁed users, but by many senders wishing to send secret messages to a single
recipient. The receiver keeps secret (to himself alone!) information (called the receiver’s private key) about the
publickey, which enables him to decrypt the cyphertexts he receives. We call such an encryption method public
key encryption.
We will show that secure public key encryption is possible given a trapdoor function. Informally, a trapdoor
function is a oneway function for which there exists some trapdoor information known to the receiver alone,
with which the receiver can invert the function. The idea of publickey cryptosystems and trapdoor functions
was introduced in the seminal work of Diﬃe and Hellman in 1976 [71, 72]. Soon after the ﬁrst implementations
of their idea were proposed in [176], [170], [143].
A simple construction of public key encryption from trapdoor functions goes as follows. Recipient B can choose
at random a trapdoor function f and its associated trapdoor information t, and set its public key to be a
description of f and its private key to be t. If A wants to send message m to B, A computes c(f, m) = f(m).
To decrypt c = f(m), B computes f
−1
(c) = f
−1
(f(m)) = m. We will show that this construction is not secure
enough in general, but construct probabilistic variants of it which are secure.
1.3 A Short List of Candidate One Way Functions
As we said above, the most basic primitive for cryptographic applications is a oneway function which is “easy”
to compute but “hard” to invert. (For public key encryption, it must also have a trapdoor.) By “easy”, we
mean that the function can be computed by a probabilistic polynomial time algorithm, and by “hard” that any
probabilistic polynomial time (PPT) algorithm attempting to invert it will succeed with “small” probability
(where the probability ranges over the elements in the domain of the function.) Thus, to qualify as a potential
candidate for a oneway function, the hardness of inverting the function should not hold only on rare inputs to
the function but with high probability over the inputs.
Several candidates which seem to posses the above properties have been proposed.
1. Factoring. The function f : (x, y) → xy is conjectured to be a one way function. The asymptotically
proven fastest factoring algorithms to date are variations on Dixon’s random squares algorithm [131]. It
is a randomized algorithm with running time L(n)
√
2
where L(n) = e
√
log nlog log n
. The number ﬁeld sieve
by Lenstra, Lenstra, Manasee, and Pollard with modiﬁcations by Adlemann and Pomerance is a factoring
algorithm proved under a certain set of assumptions to factor integers in expected time
e
((c+o(1))(log n)
1
3 (log log n)
2
3 )
[133, 3].
2. The discrete log problem. Let p be a prime. The multiplicative group Z
∗
p
= (¦x < p[(x, p) = 1¦, mod p)
is cyclic, so that Z
∗
p
= ¦g
i
mod p[1 ≤ i ≤ p −1¦ for some generator g ∈ Z
∗
p
. The function f : (p, g, x) →
(g
x
mod p, p, g) where p is a prime and g is a generator for Z
∗
p
is conjectured to be a oneway function.
Computing f(p, g, x) can be done in polynomial time using repeated squaring. However, The fastest
known proved solution for its inverse, called the discrete log problem is the indexcalculus algorithm,
with expected running time L(p)
√
2
(see [131]). An interesting problem is to ﬁnd an algorithm which will
generate a prime p and a generator g for Z
∗
p
. It is not known how to ﬁnd generators in polynomial time.
However, in [8], E. Bach shows how to generate random factored integers (in a given range
N
2
. . . N).
2
Saying that the information is “authenticated” means that the sender is given a guarantee that the information was published
by the legal receiver. How this can be done is discussed in a later chapter.
14 Goldwasser and Bellare
Coupled with a fast primality tester (as found in [131], for example), this can be used to eﬃciently
generate random tuples (p − 1, q
1
, . . . , q
k
) with p prime. Then picking g ∈ Z
∗
p
at random, it can be
checked if (g, p − 1) = 1, ∀q
i
, g
p−1
q
i
mod p = 1, and g
p−1
mod p = 1, in which case order(g) = p − 1
(order(g) = [¦g
i
mod p[1 ≤ i ≤ p −1¦[). It can be shown that the density of Z
∗
p
generators is high so that
few guesses are required. The problem of eﬃciently ﬁnding a generator for a speciﬁc Z
∗
p
is an intriguing
open research problem.
3. Subset sum. Let a
i
∈ ¦0, 1¦
n
, a = (a
1
, . . . , a
n
), s
i
∈ ¦0, 1¦, s = (s
1
, . . . , s
n
), and let f : (a, s) →
(a,
¸
n
i=1
s
i
a
i
). An inverse of (a,
¸
n
i=1
s
i
a
i
) under f is any (a, s
t
i
) so that
¸
n
i=1
s
i
a
i
=
¸
n
i=1
s
t
i
a
i
. This
function f is a candidate for a one way function. The associated decision problem (given (a, y), does
there exists s so that
¸
n
i=1
s
i
a
i
= y?) is NPcomplete. Of course, the fact that the subsetsum problem
is NPcomplete cannot serve as evidence to the onewayness of f
ss
. On the other hand, the fact that the
subsetsum problem is easy for special cases (such as “hidden structure” and low density) can not serve
as evidence for the weakness of this proposal. The conjecture that f is oneway is based on the failure
of known algorithm to handle random high density instances. Yet, one has to admit that the evidence in
favor of this candidate is much weaker than the evidence in favor of the two previous ones.
4. DES with ﬁxed message. Fix a 64 bit message M and deﬁne the function f(K) = DES
K
(M) which takes
a 56 bit key K to a 64 bit output f(K). This appears to be a oneway function. Indeed, this construction
can even be proven to be oneway assuming DES is a family of pseudorandom functions, as shown by
Luby and Rackoﬀ [139].
5. RSA. This is a candidate oneway trapdoor function. Let N = pq be a product of two primes. It is
believed that such an N is hard to factor. The function is f(x) = x
e
mod N where e is relatively prime to
(p −1)(q −1). The trapdoor is the primes p, q, knowledge of which allows one to invert f eﬃciently. The
function f seems to be oneway. To date the best attack is to try to factor N, which seems computationally
infeasible.
In Chapter 2 we discuss formal deﬁnitions of oneway functions and are more precise about the above construc
tions.
1.4 Security Deﬁnitions
So far we have used the terms “secure” and “break the system” quite loosely. What do we really mean? It
is clear that a minimal requirement of security would be that: any adversary who can see the ciphertext and
knows which encryption and decryption algorithms are being used, can not recover the entire cleartext. But,
many more properties may be desirable. To name a few:
1. It should be hard to recover the messages from the ciphertext when the messages are drawn from arbitrary
probability distributions deﬁned on the set of all strings (i.e arbitrary message spaces). A few examples
of message spaces are: the English language, the set ¦0, 1¦). We must assume that the message space is
known to the adversary.
2. It should be hard to compute partial information about messages from the ciphertext.
3. It should be hard to detect simple but useful facts about traﬃc of messages, such as when the same
message is sent twice.
4. The above properties should hold with high probability.
In short, it would be desirable for the encryption scheme to be the mathematical analogy of opaque envelopes
containing a piece of paper on which the message is written. The envelopes should be such that all legal senders
can ﬁll it, but only the legal recipient can open it.
We must answer a few questions:
Cryptography: Lecture Notes 15
• How can “opaque envelopes” be captured in a precise mathematical deﬁnition? Much of Chapters 6 and 7
is dedicated to discussing the precise deﬁnition of security in presence of a computationally bounded
adversary.
• Are “opaque envelopes” achievable mathematically? The answer is positive . We will describe the the
proposals of private (and public) encryption schemes which we prove secure under various assumptions.
We note that the simple example of a publickey encryptions system based on trapdoor function, described in
the previous section, does not satisfy the above properties. We will show later, however, probabilistic variants of
the simple system which do satisfy the new security requirements under the assumption that trapdoor functions
exist. More speciﬁcally, we will show probabilistic variants of RSA which satisfy the new security requirement
under, the assumption that the original RSA function is a trapdoor function, and are similar in eﬃciency to the
original RSA publickey encryption proposal.
1.5 The Model of Adversary
The entire discussion so far has essentially assumed that the adversary can listen to cyphertexts being exchanged
over the insecure channel, read the publicﬁle (in the case of publickey cryptography), generate encryptions
of any message on his own (for the case of publickey encryption), and perform probabilistic polynomial time
computation. This is called a passive adversary.
One may imagine a more powerful adversary who can intercept messages being transmitted from sender to
receiver and either stop their delivery all together or alter them in some way. Even worse, suppose the adversary
can request a polynomial number of cyphertexts to be decrypted for him. We can still ask whether there exists
encryption schemes (public or secret) which are secure against such more powerful adversaries.
Indeed, such adversaries have been considered and encryption schemes which are secure against them designed.
The deﬁnition of security against such adversaries is more elaborate than for passive adversaries.
In Chapters 6 and 7 we consider a passive adversary who knows the probability distribution over the message
space. We will also discuss more powerful adversaries and appropriate deﬁnitions of security.
1.6 Road map to Encryption
To summarize the introduction, our challenge is to design both secure privatekey and publickey encryption
systems which provably meet our deﬁnition of security and in which the operations of encryption and decryption
are as fast as possible for the sender and receiver.
Chapters 6 and 7 embark on an in depth investigation of the topic of encryption, consisting of the following
parts. For both privatekey and publickey encryption, we will:
• Discuss formally how to deﬁne security in presence of a bounded adversary.
• Discuss current proposals of encryption systems and evaluate them respect to the security deﬁnition
chosen.
• Describe how to design encryption systems which we can prove secure under explicit assumptions such as
the existence of oneway functions, trapdoor functions, or pseudo random functions.
• Discuss eﬃciency aspects of encryption proposals, pointing out to possible ways to improve eﬃciency by
performing some computations oﬀline, in batch mode, or in a incremental fashion.
We will also overview some advanced topics connected to encryption such chosenciphertext security, non
malleability, keyescrow proposals, and the idea of shared decryption among many users of a network.
C h a p t e r 2
Oneway and trapdoor functions
One Way functions, namely functions that are “easy” to compute and “hard” to invert, are an extremely
important cryptographic primitive. Probably the best known and simplest use of oneway functions, is for
passwords. Namely, in a timeshared computer system, instead of storing a table of login passwords, one can
store, for each password w, the value f(w). Passwords can easily be checked for correctness at login, but even
the system administrator can not deduce any user’s password by examining the stored table.
In Section 1.3 we had provided a short list of some candidate oneway functions. We now develop a theoretical
treatment of the subject of oneway and trapdoor functions, and carefully examine the candidate oneway
functions proposed in the literature. We will occasionaly refer to facts about number theory discussed in
Chapter C.
We begin by explaining why oneway functions are of fundamental importance to cryptography.
2.1 OneWay Functions: Motivation
In this section, we provide motivation to the deﬁnition of oneway functions. We argue that the existence of
oneway functions is a necessary condition to the existence of most known cryptographic primitives (including
secure encryption and digital signatures). As the current state of knowledge in complexity theory does not allow
to prove the existence of oneway function, even using more traditional assumptions as { = ^{, we will have
to assume the existence of oneway functions. We will later try to provide evidence to the plausibility of this
assumption.
As stated in the introduction chapter, modern cryptography is based on a gap between eﬃcient algorithms
guaranteed for the legitimate user versus the unfeasibility of retrieving protected information for an adver
sary. To make the following discussion more clear, let us concentrate on the cryptographic task of secure data
communication, namely encryption schemes.
In secure encryption schemes, the legitimate user is able to decipher the messages (using some private infor
mation available to him), yet for an adversary (not having this private information) the task of decrypting the
ciphertext (i.e., “breaking” the encryption) should be infeasible. Clearly, the breaking task can be performed by
a nondeterministic polynomialtime machine. Yet, the security requirement states that breaking should not be
feasible, namely could not be performed by a probabilistic polynomialtime machine. Hence, the existence of se
cure encryption schemes implies that there are tasks performed by nondeterministic polynomialtime machines
yet cannot be performed by deterministic (or even randomized) polynomialtime machines. In other words, a
necessary condition for the existence of secure encryption schemes is that ^{ is not contained in B{{ (and
hence that { = ^{).
However, the above mentioned necessary condition (e.g., { = ^{) is not a suﬃcient one. { = ^{ only implies
16
Cryptography: Lecture Notes 17
that the encryption scheme is hard to break in the worst case. It does not ruleout the possibility that the
encryption scheme is easy to break in almost all cases. In fact, one can easily construct “encryption schemes”
for which the breaking problem is NPcomplete and yet there exist an eﬃcient breaking algorithm that succeeds
on 99% of the cases. Hence, worstcase hardness is a poor measure of security. Security requires hardness on
most cases or at least averagecase hardness. Hence, a necessary condition for the existence of secure encryption
schemes is the existence of languages in ^{ which are hard on the average. Furthermore, { = ^{ is not
known to imply the existence of languages in ^{ which are hard on the average.
The mere existence of problems (in NP) which are hard on the average does not suﬃce. In order to be able to
use such problems we must be able to generate such hard instances together with auxiliary information which
enable to solve these instances fast. Otherwise, the hard instances will be hard also for the legitimate users and
they gain no computational advantage over the adversary. Hence, the existence of secure encryption schemes
implies the existence of an eﬃcient way (i.e. probabilistic polynomialtime algorithm) of generating instances
with corresponding auxiliary input so that
(1) it is easy to solve these instances given the auxiliary input; and
(2) it is hard on the average to solve these instances (when not given the auxiliary input).
We avoid formulating the above “deﬁnition”. We only remark that the coin tosses used in order to generate the
instance provide suﬃcient information to allow to eﬃciently solve the instance (as in item (1) above). Hence,
without loss of generality one can replace condition (2) by requiring that these coin tosses are hard to retrieve
from the instance. The last simpliﬁcation of the above conditions essentially leads to the deﬁnition of a oneway
function.
2.2 OneWay Functions: Deﬁnitions
In this section, we present several deﬁnitions of oneway functions. The ﬁrst version, hereafter referred to as
strong oneway function (or just oneway function), is the most convenient one. We also present weak oneway
functions which may be easier to ﬁnd and yet can be used to construct strong one way functios, and nonuniform
oneway functions.
2.2.1 (Strong) One Way Functions
The most basic primitive for cryptographic applications is a oneway function. Informally, this is a function
which is “easy” to compute but “hard” to invert. Namely, any probabilistic polynomial time (PPT) algorithm
attempting to invert the oneway function on a element in its range, will succeed with no more than “negligible”
probability, where the probability is taken over the elements in the domain of the function and the coin tosses
of the PPT attempting the inversion.
This informal deﬁnition introduces a couple of measures that are prevalent in complexity theoretic cryptography.
An easy computation is one which can be carried out by a PPT algorithm; and a function ν: N → R is negligible
if it vanishes faster than the inverse of any polynomial. More formally,
Deﬁnition 2.1 ν is negligible if for every constant c ≥ 0 there exists an integer k
c
such that ν(k) < k
−c
for all
k ≥ k
c
.
Another way to think of it is ν(k) = k
−ω(1)
.
A few words, concerning the notion of negligible probability, are in place. The above deﬁnition and discussion
considers the success probability of an algorithm to be negligible if as a function of the input length the success
probability is bounded by any polynomial fraction. It follows that repeating the algorithm polynomially (in
the input length) many times yields a new algorithm that also has a negligible success probability. In other
words, events which occur with negligible (in n) probability remain negligible even if the experiment is repeated
for polynomially (in k) many times. Hence, deﬁning negligible success as “occurring with probability smaller
than any polynomial fraction” is naturally coupled with deﬁning feasible as “computed within polynomial
18 Goldwasser and Bellare
time”. A “strong negation” of the notion of a negligible fraction/probability is the notion of a nonnegligible
fraction/probability. we say that a function ν is nonnegligible if there exists a polynomial p such that for all
suﬃciently large k’s it holds that ν(k) >
1
p(k)
. Note that functions may be neither negligible nor nonnegligible.
Deﬁnition 2.2 A function f: ¦0, 1¦
∗
→ ¦0, 1¦
∗
is oneway if:
(1) there exists a PPT that on input x output f(x);
(2) For every PPT algorithm A there is a negligible function ν
A
such that for suﬃciently large k,
Pr
f(z) = y : x
$
← ¦0, 1¦
k
; y ← f(x) ; z ← A(1
k
, y)
≤ ν
A
(k)
Remark 2.3 The guarantee is probabilistic. The adversary is not unable to invert the function, but has a low
probability of doing so where the probability distribution is taken over the input x to the oneway function
where x if of length k, and the possible coin tosses of the adversary. Namely, x is chosen at random and y is
set to f(x).
Remark 2.4 The advsersary is not asked to ﬁnd x; that would be pretty near impossible. It is asked to ﬁnd
some inverse of y. Naturally, if the function is 11 then the only inverse is x.
Remark 2.5 Note that the adversary algorithm takes as input f(x) and the security parameter 1
k
(expressed
in unary notatin) which corresponds to the binary length of x. This represents the fact the adversary can work
in time polynomial in [x[, even if f(x) happends to be much shorter. This rules out the possibility that a
function is considered oneway merely because the inverting algorithm does not have enough time to print the
output. Consider for example the function deﬁned as f(x) = y where y is the log k least signiﬁcant bits of x
where [x[ = k. Since the [f(x)[ = log [x[ no algorithm can invert f in time polynomial in [f(x)[, yet there exists
an obvious algorithm which ﬁnds an inverse of f(x) in time polynomial in [x[. Note that in the special case of
length preserving functions f (i.e., [f(x)[ = [x[ for all x’s), the auxiliary input is redundant.
Remark 2.6 By this deﬁnition it trivially follows that the size of the output of f is bounded by a polynomial
in k, since f(x) is a polytime computable.
Remark 2.7 The deﬁnition which is typical to deﬁnitions from computational complexity theory, works with
asymptotic complexity—what happens as the size of the problem becomes large. Security is only asked to hold
for large enough input lengths, namely as k goes to inﬁnity. Per this deﬁnition, it may be entirely feasible
to invert f on, say, 512 bit inputs. Thus such deﬁnitions are less directly relevant to practice, but useful for
studying things on a basic level. To apply this deﬁnition to practice in cryptography we must typically envisage
not a single oneway function but a family of them, parameterized by a security parameter k. That is, for each
value of the security parameter k there is be a speciﬁc function f : ¦0, 1¦
k
→ ¦0, 1¦
∗
. Or, there may be a family
of functions (or cryptosystems) for each value of k. We shall deﬁne such familes in subsequent section.
The next two sections discuss variants of the strong oneway function deﬁnition. The ﬁrst time reader is
encouraged to directly go to Section 2.2.4.
2.2.2 Weak OneWay Functions
One way functions come in two ﬂavors: strong and weak. The deﬁnition we gave above, refers to a strong way
function. We could weaken it by replacing the second requirement in the deﬁnition of the function by a weaker
requirement as follows.
Deﬁnition 2.8 A function f: ¦0, 1¦
∗
→ ¦0, 1¦
∗
is weak oneway if:
Cryptography: Lecture Notes 19
(1) there exists a PPT that on input x output f(x);
(2) There is a polynomial functions Q such that for every PPT algorithm A, and for suﬃciently large k,
Pr
f(z) = y : x
$
← ¦0, 1¦
k
; y ← f(x) ; z ← A(1
k
, y)
≥
1
Q(k)
The diﬀerence between the two deﬁnitions is that whereas we only require some nonnegligible fraction of the
inputs on which it is hard to invert a weak oneway function, a strong oneway function must be hard to invert
on all but a negligible fraction of the inputs. Clearly, the latter is preferable, but what if only weak oneway
functions exist ? Our ﬁrst theorem is that the existence of a weak one way function implies the existence of a
strong one way function. Moreover, we show how to construct a strong oneway function from a weak one. This
is important in practice as illustarted by the following example.
Example 2.9 Consider for example the function f : Z Z → Z where f(x, y) = x y. This function can be
easily inverted on at least half of its outputs (namely, on the even integers) and thus is not a strong one way
function. Still, we said in the ﬁrst lecture that f is hard to invert when x and y are primes of roughly the same
length which is the case for a polynomial fraction of the kbit composite integers. This motivated the deﬁnition
of a weak one way function. Since the probability that an kbit integer x is prime is approximately 1/k, we get
the probability that both x and y such that [x[ = [y[ = k are prime is approximately 1/k
2
. Thus, for all k,
about 1 −
1
k
2
of the inputs to f of length 2k are prime pairs of equal length. It is believed that no adversary
can invert f when x and y are primes of the same length with nonnegligible success probability, and under this
belief, f is a weak one way function (as condition 2 in the above deﬁnition is satisﬁed for Q(k) = O(k
2
)).
Theorem 2.10 Weak one way functions exist if and only if strong one way functions exist.
Proof Sketch: By deﬁnition, a strong one way function is a weak one way function. Now assume that f is a
weak one way function such that Q is the polynomial in condition 2 in the deﬁnition of a weak one way function.
Deﬁne the function
f
1
(x
1
. . . x
N
) = f(x
1
) . . . f(x
N
)
where N = 2kQ(k) and each x
i
is of length k.
We claim that f
1
is a strong one way function. Since f
1
is a concatenation of N copies of the function f, to
correctly invert f
1
, we need to invert f(x
i
) correctly for each i. We know that every adversary has a probability
of at least
1
Q(k)
to fail to invert f(x) (where the probability is taken over x ∈ ¦0, 1¦
k
and the coin tosses of the
adversary), and so intuitively, to invert f
1
we need to invert O(kQ(k)) instances of f. The probability that the
adversary will fail for at least one of these instances is extremely high.
The formal proof (which is omitted here and will be given in appendix) will take the form of a reduction; that is,
we will assume for contradiction that f
1
is not a strong one way function and that there exists some adversary
A
1
that violates condition 2 in the deﬁnition of a strong one way function. We will then show that A
1
can be
used as a subroutine by a new adversary A that will be able to invert the original function f with probability
better than 1 −
1
Q(]x])
(where the probability is taken over the inputs x ∈ ¦0, 1¦
k
and the coin tosses of A). But
this will mean that f is not a weak one way function and we have derived a contradiction.
This proof technique is quite typical of proofs presented in this course. Whenever such a proof is presented it
is important to examine the cost of the reduction. For example, the construction we have just outlined is not
length preserving, but expands the size of the input to the function quadratically.
2.2.3 NonUniform OneWay Functions
In the above two deﬁnitions of oneway functions the inverting algorithm is probabilistic polynomialtime.
Stronger versions of both deﬁnitions require that the functions cannot be inverted even by nonuniform families
20 Goldwasser and Bellare
of polynomial size algorithm We stress that the “easy to compute” condition is still stated in terms of uniform
algorithms. For example, following is a nonuniform version of the deﬁnition of (strong) oneway functions.
Deﬁnition 2.11 A function f is called nonuniformly strong oneway if the following two conditions hold
(1) easy to compute: as before There exists a PPT algorithm to compute for f.
(2) hard to invert: For every (even nonuniform) family of polynomialsize algorithms A = ¦M
k
¦
k∈N
, there
exists a negligble ν
A
such that for all suﬃciently large k’s
Pr
f(z) = y : x
$
← ¦0, 1¦
k
; y ← f(x) ; z ← M
k
(y)
≤ ν
A
(k)
Note that it is redundent to give 1
k
as an auxiliary input to M
k
.
It can be shown that if f is nonuniformly oneway then it is (strongly) oneway (i.e., in the uniform sense). The
proof follows by converting any (uniform) probabilistic polynomialtime inverting algorithm into a nonuniform
family of polynomialsize algorithm, without decreasing the success probability. Details follow. Let A
t
be a
probabilistic polynomialtime (inverting) algorithm. Let r
k
denote a sequence of coin tosses for A
t
maximizing
the success probability of A
t
. The desired algorithm M
k
incorporates the code of algorithm A
t
and the sequence
r
k
(which is of length polynomial in k).
It is possible, yet not very plausible, that strongly oneway functions exist and but there are no nonuniformly
oneway functions.
2.2.4 Collections Of One Way Functions
Instead of talking about a single function f : ¦0, 1¦
∗
→ ¦0, 1¦
∗
, it is often convenient to talk about collections of
functions, each deﬁned over some ﬁnite domain and ﬁnite ranges. We remark, however, that the single function
format makes it easier to prove properties about one way functions.
Deﬁnition 2.12 Let I be a set of indices and for i ∈ I let D
i
and R
i
be ﬁnite. A collection of strong one way
functions is a set F = ¦f
i
: D
i
→ R
i
¦
i∈I
satisfying the following conditions.
(1) There exists a PPT S
1
which on input 1
k
outputs an i ∈ ¦0, 1¦
k
∩ I
(2) There exists a PPT S
2
which on input i ∈ I outputs x ∈ D
i
(3) There exists a PPT A
1
such that for i ∈ I and x ∈ D
i
, A
1
(i, x) = f
i
(x).
(4) For every PPT A there exists a negligible ν
A
such that ∀ k large enough
Pr
f
i
(z) = y : i
$
← I ; x
$
← D
i
; y ← f
i
(x) ; z ← A(i, y)
≤ ν
A
(k)
(here the probability is taken over choices of i and x, and the coin tosses of A).
In general, we can show that the existence of a single one way function is equivalent to the existence of a
collection of one way functions. We prove this next.
Theorem 2.13 A collection of one way functions exists if and only if one way functions exist.
Proof: Suppose that f is a one way function.
Set F = ¦f
i
: D
i
→ R
i
¦
i∈I
where I = ¦0, 1¦
∗
and for i ∈ I, take D
i
= R
i
= ¦0, 1¦
]i]
and f
i
(x) = f(x).
Furthermore, S
1
uniformly chooses on input 1
k
, i ∈ ¦0, 1¦
k
, S
2
uniformly chooses on input i, x ∈ D
i
= ¦0, 1¦
]i]
Cryptography: Lecture Notes 21
and A
1
(i, x) = f
i
(x) = f(x). (Note that f is polynomial time computable.) Condition 4 in the deﬁnition of a
collection of one way functions clearly follows from the similar condition for f to be a one way function.
Now suppose that F = ¦f
i
: D
i
→ R
i
¦
i∈I
is a collection of one way functions. Deﬁne f
F
(1
k
, r
1
, r
2
) =
A
1
(S
1
(1
k
, r
1
), S
2
(S
1
(1
k
, r
1
), r
2
)) where A
1
, S
1
, and S
2
are the functions associated with F as deﬁned in Deﬁni
tion 2.12. In other words, f
F
takes as input a string 1
k
◦ r
1
◦ r
2
where r
1
and r
2
will be the coin tosses of S
1
and S
2
, respectively, and then
• Runs S
1
on input 1
k
using the coin tosses r
1
to get the index i = S
1
(1
k
, r
1
) of a function f
i
∈ F.
• Runs S
2
on the output i of S
1
using the coin tosses r
2
to ﬁnd an input x = S
2
(i, r
2
).
• Runs A
1
on i and x to compute f
F
(1
k
, r
1
, r
2
) = A
1
(i, x) = f
i
(x).
Note that randomization has been restricted to the input of f
F
and since A
1
is computable in polynomial time,
the conditions of a one way function are clearly met.
A possible example is the following, treated thoroughly in Section 2.3.
Example 2.14 The hardness of computing discrete logarithms yields the following collection of functions.
Deﬁne EXP = ¦EXP
p,g
(i) = g
i
mod p, EXPp, g : Z
p
→ Z
∗
p
¦
<p,g>∈I
for I = ¦< p, g > p prime, g generator
for Z
∗
p
¦.
2.2.5 Trapdoor Functions and Collections
Infromally, a trapdoor function f is a oneway function with an extra property. There also exists a secret inverse
function (thetrapdoor) that allows its possessor to eﬃciently invert f at any point in the domain of his choosing.
It should be easy to compute f on any point, but infeasible to invert f on any point without knowledge of the
inverse function . Moreover, it should be easy to generate matched pairs of f’s and corresponding trapdoor.
Once a matched pair is generated, the publication of f should not reveal anything about how to compute its
inverse on any point.
Deﬁnition 2.15 A trapdoor function is a oneway function f : ¦0, 1¦
∗
→ ¦0, 1¦
∗
such that there exists a
polynomial p and a probabilistic polynomial time algorithm I such that for every k there exists an t
k
∈ ¦0, 1¦
∗
such that [t
k
[ ≤ p(k) and for all x ∈ ¦0, 1¦
∗
, I(f(x), t
k
) = y such that f(y) = f(x).
An example of a function which may be trapdoor if factoring integers is hard was proposed by Rabin[170]. Let
f(x, n) = x
2
mod n where n = pq a product of two primes and x ∈ Z
∗
n
. Rabin[170] has shown that inverting
f is easy iﬀ factoring composite numbers product of two primes is easy. The most famous candidate trapdoor
function is the RSA[176] function f(x, n, l) = x
l
mod n where (l, φ(n)) = 1.
Again it will be more convenient to speak of families of trapdoor functions parameterized by security parameter
k.
Deﬁnition 2.16 Let I be a set of indices and for i ∈ I let D
i
be ﬁnite. A collection of strong one way trapdoor
functions is a set F = ¦f
i
: D
i
→ D
i
¦
i∈I
satisfying the following conditions.
(1) There exists a polynomial p and a PTM S
1
which on input 1
k
outputs pairs (i, t
i
) where i ∈ I ∩ ¦0, 1¦
k
and [t
i
[ < p(k) The information t
i
is referred to as the trapdoor of i.
(2) There exists a PTM S
2
which on input i ∈ I outputs x ∈ D
i
(3) There exists a PTM A
1
such that for i ∈ I, x ∈ D
i
A
1
(i, x) = f
i
(x).
(4) There exists a PTM A
2
such that A
2
(i, t
i
, f
i
(x)) = x for all x ∈ D
i
and for all i ∈ I (that is, f
i
is easy to
invert when t
i
is known).
22 Goldwasser and Bellare
(5) For every PPT A there exists a negligble ν
A
such that ∀ k large enough
Pr
f
i
(z) = y : i
$
← I ; x
$
← D
i
; y ← f
i
(x) ; z ← A(i, y)
≤ ν
A
(k)
A possible example is the following treated in in detail in the next sections.
Example 2.17 [The RSA collections of possible trapdoor functions ] Let p, q denote primes, n = pq, Z
∗
n
= ¦1 ≤
x ≤ n, (x, n) = 1¦ the multiplicative group whose cardinality is ϕ(n) = (p − 1)(q − 1), and e ∈ Z
p−1
relatively
prime to ϕ(n). Our set of indices will be I = ¦< n, e > such that n = pq [p[ = [q[¦ and the trapdoor associated
with the particular index < n, e > be d such that ed = 1 mod φ(n). Let RSA = ¦RSA
<n,e>
: Z
∗
n
→ Z
∗
n
¦
<n,e>∈I
where RSA
<n,e>
(x) = x
e
mod n
2.3 In Search of Examples
Number theory provides a source of candidates for one way and trapdoor functions. Let us start our search for
examples by a digression into number theorey. See also the minicourse on number theory in Appendix C.
Calculating Inverses in Z
∗
p
Consider the set Z
∗
p
= ¦x : 1 ≤ x < p and gcd(x, p) = 1¦ where p is prime. Z
∗
p
is a group under multiplicaton
modulo p. Note that to ﬁnd the inverse of x ∈ Z
∗
p
; that is, an element y ∈ Z
∗
p
such that yx ≡ 1 mod p, we can
use the Euclidean algorithm to ﬁnd integers y and z such that yx + zp = 1 = gcd(x, p). Then, it follows that
yx ≡ 1 mod p and so y mod p is the desired inverse.
The Euler Totient Function ϕ(n)
Euler’s Totient Function ϕ is deﬁned by ϕ(n) = [¦x : 1 ≤ x < p and gcd(x, n) = 1¦. The following are facts
about ϕ.
(1) For p a prime and α ≥ 1, ϕ(p
α
) = p
α−1
(p −1).
(2) For integers m, n with gcd(m, n) = 1, ϕ(mn) = ϕ(m)ϕ(n).
Using the rules above, we can ﬁnd ϕ for any n because, in general,
ϕ(n) = ϕ(
k
¸
i=1
p
i
α
i
)
=
k
¸
i=1
ϕ(p
i
α
i
)
=
k
¸
i=1
p
i
α
i
−1
(p
i
−1)
Z
∗
p
Is Cyclic
A group G is cyclic if and only if there is an element g ∈ G such that for every a ∈ G, there is an integer i such
that g
i
= a. We call g a generator of the group G and we denote the index i by ind
g
(a).
Cryptography: Lecture Notes 23
Theorem 2.18 (Gauss) If p is prime then Z
∗
p
is a cyclic group of order p − 1. That is, there is an element
g ∈ Z
∗
p
such that g
p−1
≡ 1 mod p and g
i
≡ 1 mod p for i < p −1.
¿From Theorem 2.18 the following fact is immediate.
Fact 2.19 Given a prime p, a generator g for Z
∗
p
, and an element a ∈ Z
∗
p
, there is a unique 1 ≤ i ≤ p −1 such
that a = g
i
.
The Legendre Symbol
Fact 2.20 If p is a prime and g is a generator of Z
∗
p
, then
g
c
= g
a
g
b
mod p ⇔ c = a +b mod p −1
¿From this fact it follows that there is an homomorphism f : Z
∗
p
→ Z
p−1
such that f(ab) = f(a) +f(b). As
a result we can work with Z
p−1
rather than Z
∗
p
which sometimes simpliﬁes matters. For example, suppose we
wish to determine how many elements in Z
∗
p
are perfect squares (these elements will be referred to as quadratic
residues modulo p). The following lemma tells us that the number of quadratic residues modulo p is
1
2
[Z
∗
p
[.
Lemma 2.21 a ∈ Z
∗
p
is a quadratic residue modulo p if and only if a = g
x
mod p where x satisﬁes 1 ≤ x ≤ p−1
and is even.
Proof: Let g be a generator in Z
∗
p
.
(⇐) Suppose an element a = g
2x
for some x. Then a = s
2
where s = g
x
.
(⇒) Consider the square of an element b = g
y
. b
2
= g
2y
≡ g
e
mod p where e is even since 2y is reduced modulo
p − 1 which is even. Therefore, only those elements which can be expressed as g
e
, for e an even integer, are
squares.
Consequently, the number of quadratic residues modulo p is the number of elements in Z
∗
p
which are an even
power of some given generator g. This number is clearly
1
2
[Z
∗
p
[.
The Legendre Symbol J
p
(x) speciﬁes whether x is a perfect square in Z
∗
p
where p is a prime.
J
p
(x) =
1 if x is a square in Z
∗
p
0 if gcd(x, p) = 1
−1 if x is not a square in Z
∗
p
The Legendre Symbol can be calculated in polynomial time due to the following theorem.
Theorem 2.22 [Euler’s Criterion] J
p
(x) ≡ x
p−1
2
mod p.
Using repeated doubling to compute exponentials, one can calculate x
p−1
2
in O([p[
3
) steps. Though this J
p
(x)
can be calculated when p is a prime, it is not known how to determine for general x and n, whether x is a square
in Z
∗
n
.
2.3.1 The Discrete Logarithm Function
Let EXP be the function deﬁned by EXP(p, g, x) = (p, g, g
x
mod p). We are particularly interested in the case
when p is a prime and g is a generator of Z
∗
p
. Deine an index set I = ¦(p, g) : p is prime and g is a generator of Z
∗
p
¦.
For (p, g) ∈ I, it follows by Fact 2.19 that EXP(p, g, x) has a unique inverse and this allows us to deﬁne for
24 Goldwasser and Bellare
y ∈ Z
∗
p
the discrete logarithm function DL by DL(p, g, y) = (p, g, x) where x ∈ Z
p−1
and g
x
≡ y mod p. Given
p and g, EXP(p, g, x) can easily be computed in polynomial time. However, it is unknown whether or not its
inverse DL can be computed in polynomial time unless p − 1 has very small factors (see [164]). Pohlig and
Hellman [164] present eﬀective techniques for this problem when p −1 has only small prime factors.
The best fully proved uptodate algorithm for computing discrete logs is the Indexcalculus algorithm. The
expected running time of such algorithm is polynomial in e
√
k log k
where k is the size of the modulos p. There is
a recent variant of the number ﬁeld sieve algorithm for discrete logarithm which seems to work in faster running
time of e
(k log k)
1
3
. It interesting to note that working over the ﬁnite ﬁeld GF(2
k
) rather than working modulo p
seems to make the problem substantially easier (see Coppersmith [61] and Odlyzko [158]). Curiously, computing
discrete logarithms and factoring integers seem to have essentially the same diﬃculty at least as indicated by
the current state of the art algorithms.
With all this in mind, we consider EXP a good candidate for a one way function. We make the following explicit
assumption in this direction. The assumption basically says that there exists no polynomial time algorithm that
can solvethe discrete log problem with prime modulos.
Strong Discrete Logarithm Assumption (DLA):
1
For every polynomial Q and every PPT A, for all
suﬃciently large k,
Pr[A(p, g, y) = x such that y ≡ g
x
mod p where 1 ≤ x ≤ p −1] <
1
Q(k)
(where the probability is taken over all primes p such that [p[ ≤ k, the generators g of Z
∗
p
, x ∈ Z
∗
p
and the coin
tosses of A).
An immediate consequence of this assumption we get
Theorem 2.23 Under the strong discrete logarithm assumption there exists a strong one way function; namely,
exponentiation modulo a prime p.
Some useful properties of EXP and DL follow.
Remark 2.24 If DL(p, g
1
, y) is easy to calculate for some generator g
1
∈ Z
∗
p
then it is also easy to calculate
DL(p, g
2
, y) for any other generator g
2
∈ Z
∗
p
. (The group Z
∗
p
has ϕ(p − 1) generators.) To see this suppose
that x
1
= DL(p, g
1
, y) and x
2
= DL(p, g
2
, y). If g
2
≡ g
1
z
mod p where gcd(z, p − 1) then y ≡ g
1
x2z
mod p and
consequently, x
2
≡ z
−1
x
1
mod p −1.
The following result shows that to eﬃciently calculate DL(p, g, y) for (p, g) ∈ I it will suﬃce to ﬁnd a polynomial
time algorithm which can calculate DL(p, g, y) on at least a
1
Q(]p])
fraction of the possible inputs y ∈ Z
∗
p
for
some polynomial Q.
Proposition 2.25 Let , δ ∈ (0, 1) and let S be a subset of the prime integers. Suppose there is a probabilistic
algorithm A such that for all primes p ∈ S and for all generators g of Z
∗
p
Pr[A(p, g, y) = x such that g
x
≡ y mod p] >
(where the probability is taken over y ∈ Z
∗
p
and the coin tosses of A) and A runs in time polynomial in [p[. Then
there is a probabilistic algorithm A
t
running in time polynomial in
−1
, δ
−1
, and [p[ such that for all primes
1
We note that a weaker assumption can be made concerning the discrete logarithm problem, and by the standard construction
one can still construct a strong oneway function. We will assume for the purpose of the course the ﬁrst stronger assumption.
Weak Discrete Logarithm Assumption: There is a polynomial Q such that for every PTM A there exists an integer k
0
such
that ∀k > k
0
Pr[A(p, g, y) = x such that y ≡ g
x
mod p where 1 ≤ x ≤ p − 1] < 1 −
1
Q(k)
(where the probability is taken over all
primes p such that p ≤ k, the generators g of Z
∗
p
, x ∈ Z
∗
p
and the coin tosses of A).
Cryptography: Lecture Notes 25
p ∈ S, generators g of Z
∗
p
, and y ∈ Z
∗
p
Pr[A
t
(p, g, y) = x such that g
x
≡ y mod p] > 1 −δ
(where the probability is taken over the coin tosses of A
t
).
Proof: Choose the smallest integer N for which
1
e
N
< δ.
Consider the algorithm A
t
running as follows on inputs p ∈ S, g a generator of Z
∗
p
and y ∈ Z
∗
p
.
Repeat
−1
N times.
Randomly choose z such that 1 ≤ z ≤ p −1.
Let w = A(p, g, g
z
y)
If A succeeds then g
w
= g
z
y = g
z+x
mod p where x = DL
p,g
(y)
and therefore DL
p,g
(y) = w −z mod p −1.
Otherwise, continue to next iteration.
End loop
We can estimate the probability that A
t
fails:
Pr[A
t
(p, g, y) fails] = Pr[A single iteration of the loop of A
t
fails]
−1
N
< (1 −)
−1
N
< (e
−N
)
< δ
Note that since N = O(log(δ
−1
)) = O(δ
−1
), A
t
is a probabilistic algorithm which runs in time polynomial in
−1
, δ
−1
, and [p[.
The discrete logarithm problem also yields the following collection of functions.
Let I = ¦(p, g) : p is prime and g is a generator of Z
∗
p
¦ and deﬁne
EXP = ¦EXP
p,g
: Z
p−1
→ Z
∗
p
where EXP
p,g
(x) = g
x
mod p¦
(p,g)∈I
.
Then, under the strong discrete logarithm assumption, EXP is a collection of strong one way functions. This
claim will be shown to be true next.
Theorem 2.26 Under the strong discrete logarithm assumption there exists a collection of strong one way
functions.
Proof: We shall show that under the DLA EXP is indeed a collection of one way functions. For this we must
show that it satisﬁes each of the conditions in the deﬁnition of a collection of one way functions.
For condition 1, deﬁne S
1
to run as follows on input 1
k
.
(1) Run Bach’s algorithm (given in [8]) to get a random integer n such that [n[ = k along with its factorization.
(2) Test whether n + 1 is prime. See primality testing in section C.9.
(3) If so, let p = n + 1. Given the prime factorization of p −1 we look for generators g of Z
∗
p
as follows.
(1) Choose g ∈ Z
∗
p
at random.
26 Goldwasser and Bellare
(2) If p −1 =
¸
i
q
i
αi
is the prime factorization of p −1 then for each q
i
check that g
p−1
q
i
≡ 1 mod p.
If so, then g is a generator of Z
∗
p
. Output p and g.
Otherwise, repeat from step 1.
Claim 2.27 g is a generator of Z
∗
p
if for each prime divisor q of p −1, g
p−1
q
≡ 1 mod p.
Proof: The element g is a generator of Z
∗
p
if g
p−1
≡ 1 mod p and g
j
≡ 1 mod p for all j such that 1 ≤ j < p−1;
that is, g has order p −1 in Z
∗
p
.
Now, suppose that g satisﬁes the condition of Claim 2.27 and let m be the order of g in Z
∗
p
. Then m [ p − 1.
If m < p −1 then there exists a prime q such that m [
p−1
q
; that is, there is an integer d such that md =
p−1
q
.
Therefore g
p−1
q
= (g
m
)
d
≡ 1 mod n contradicting the hypothesis. Hence, m = p −1 and g is a generator of Z
∗
p
.
Also, note that the number of generators in Z
∗
p
is ϕ(p −1) and in [178] it is shown that
ϕ(k) >
k
6 log log k
.
Thus we expect to have to choose O(log log p) candidates for g before we obtain a generator. Hence, S
1
runs in
expected polynomial time.
For condition 2 in the deﬁnition of a collection of one way functions, we can deﬁne S
2
to simply output x ∈ Z
p−1
at random given i = (p, g).
Condition 3 is true since the computation of g
x
mod p can be performed in polynomial time and condition 4
follows from the strong discrete logarithm assumption.
2.3.2 The RSA function
In 1977 Rivest, Shamir, and Adleman [176] proposed trapdoor function candidate motivated by ﬁnding a public
key cryptosystem satisfying the requirements proposed by Diﬃe and Hellman. The trapdoor function proposed
is RSA(n, e, x) = x
e
mod n where the case of interest is that n is the product of two large primes p and q and
gcd(e, φ(n)) = 1. The corresponding trapdoor information is d such that d e ≡ 1 mod φ(n).
Viewd as a collection, let RSA = ¦RSA
n,e
: Z
∗
n
→ Z
∗
n
where RSA
n,e
(x) = x
e
mod n¦
(n,e)∈I
. for I = ¦< n, e >
s.t. n = pq [p[ = [q[, (e, φ(n)) = 1¦ .
RSA is easy to compute. How hard is it to invert? We know that if we can factor n we can invert RSA
via the Chinese Remainder Theorem, however we don’t know if the converse is true. Thus far, the best way
known to invert RSA is to ﬁrst factor n. There are a variety of algorithms for this task. The best running
time for a fully proved algorithm is Dixon’s random squares algorithms which runs in time O(e
√
log nlog log n
).
In practice we may consider others. Let = [p[ where p is the smallest prime divisor of n. The Elliptic Curve
algorithm takes expected time O(e
√
2 log
). The Quadratic Sieve algorithm runs in expected O(e
√
ln nln ln n
).
Notice the diﬀerence in the argument of the superpolynomial component of the running time. This means that
when we suspect that one prime factor is substantially smaller than the other, we should use the Elliptic Curve
method, otherwise one should use the Quadratic sieve. The new number ﬁeld sieve algorithm seems to achieve
a O(e
1.9(ln n)
1/3
(ln ln n)
2/3
) running time which is a substantial improvement asymptotically although in practice
it still does not seem to run faster than the Quadratic Sieve algorithm for the size of integers which people
currently attempt to factor. The recommended size for n these days is 1024 bits.
Cryptography: Lecture Notes 27
With all this in mind, we make an explicit assumption under which one can prove that RSA provides a collection
of trapdoor functions.
Strong RSA Assumption:
2
Let H
k
= ¦n = pq : p = q are primes and [p[ = [q[ = k¦. Then for every
polynomial Q and every PTM A, there exists an integer k
0
such that ∀k > k
0
Pr[A(n, e, RSA
n,e
(x)) = x] <
1
Q(k)
(where the probability is taken over all n ∈ H
k
, e such that gcd(e, ϕ(n)) = 1, x ∈ Z
∗
n
, and the coin tosses of A).
We need to prove some auxilary claims.
Claim 2.28 For (n, e) ∈ I, RSA
n,e
is a permutation over Z
∗
n
.
Proof: Since gcd(e, ϕ(n)) = 1 there exists an integer d such that ed ≡ 1 mod ϕ(n). Given x ∈ Z
∗
n
, consider the
element x
d
∈ Z
∗
n
. Then RSA
n,e
(x
d
) ≡ (x
d
)
e
≡ x
ed
≡ x mod n. Thus, the function RSA
n,e
: Z
∗
n
−→ Z
∗
n
is onto
and since [Z
∗
n
[ is ﬁnite it follows that RSA
n,e
is a permutation over Z
∗
n
.
Remark 2.29 Note that the above is a constructive proof that RSA has an unique inverse. Since gcd(e, ϕ(n)) =
1 if we run the extended Euclidean algorithm we can ﬁnd d ∈ Z
∗
n
such that
RSA
−1
n,e
(x) = (x
e
mod n)
d
mod n = x
ed
mod n = x mod n
. Note that once we found a d such that ed ≡ 1 mod ϕ(n) then we can invert RSA
n,e
eﬃciently because then
RSA
n,e
(x)
d
≡ x
ed
≡ x mod ϕ(n).
Theorem 2.30 Under the strong RSA assumption, RSA is a collection of strong one way trapdoor permuta
tions.
Proof: First note that by Claim 2.28, RSA
n,e
is a permutation of Z
∗
n
. We must also show that RSA satisﬁes each
of the conditions in Deﬁnition 2.16. For condition 1, deﬁne S
1
to compute, on input 1
k
, a pair (n, e) ∈ I ∩¦0, 1¦
k
and corresponding d such that ed ≡ 1 mod ϕ(n). The algorithm picks two random primes of equal size by
choosing random numbers and testing them for primality and setting n to be their procuct, then e ∈ Z
φ(n)
is
chosen at random, and ﬁnally d is computed in polynomial time by ﬁrst computing ϕ(n) = (p −1)(q −1) and
then using the extended Euclidean algorithm. For condition 2, deﬁne S
2
to randomly generate x ∈ Z
∗
n
on input
(n, e). Let A
1
((n, e), x) = RSA
n,e
(x). Note that exponentiation modulo n is a polynomial time computation
and therefore condition 3 holds. Condition 4 follows from the Strong RSA assumption. For condition 5, let
A
2
((n, e), d, RSA
n,e
(x)) ≡ RSA
n,e
(x)
d
≡ x
ed
≡ x mod n and this is a polynomial time computation.
One of the properties of the RSA function is that if we have a polynomial time algorithm that inverts RSA
n,e
on at least a polynomial proportion of the possible inputs x ∈ Z
∗
n
then a subsequent probabilistic expected
polynomial time algorithm can be found which inverts RSA
n,e
on almost all inputs x ∈ Z
∗
n
. This can be taken
to mean that for a given n, e if the function is hard to invert then it is almost everywhere hard to invert.
Proposition 2.31 Let , δ ∈ (0, 1) and let S ⊆ I. Suppose there is a probabilistic algorithm A such that for
all (n, e) ∈ S
Pr[A(n, e, RSA
n,e
(x)) = x] >
2
A weaker assumption can be made which under standard constructions is equivalent to the stronger one which is made in this
class. Weak RSA Assumption: Let H
k
= {n = pq : p = q are prime and p = q = k}. There is a polynomial Q such that for
every PTM A, there exists an integer k
0
such that ∀k > k
0
Pr[A(n, e, RSA
n,e
(x)) = x] < 1 −
1
Q(k)
(where the probability is taken
over all n ∈ H
k
, e such that gcd(e, ϕ(n)) = 1, x ∈ Z
∗
n
, and the coin tosses of A).
28 Goldwasser and Bellare
(where the probability is taken over x ∈ Z
∗
n
and the coin tosses of A) and A runs in time polynomial in [n[.
Then there is a probabilistic algorithm A
t
running in time polynomial in
−1
, δ
−1
, and [n[ such that for all
(n, e) ∈ S, and x ∈ Z
∗
n
Pr[A
t
(n, e, RSA
n,e
(x)) = x] > 1 −δ
(where the probability is taken over the coin tosses of A
t
).
Proof: Choose the smallest integer N for which
1
e
N
< δ.
Consider the algorithm A
t
running as follows on inputs (n, e) ∈ S and RSA
n,e
(x).
Repeat
−1
N times.
Randomly choose z ∈ Z
∗
n
.
Let y = A(n, e, RSA
n,e
(x) RSA
n,e
(z)) = A(n, e, RSA
n,e
(xz)).
If A succeeds then y = xz and therefore x = yz
−1
mod n. Output x.
Otherwise, continue to the next iteration.
End loop
We can estimate the probability that A
t
fails:
Pr[A
t
(n, e, RSA
n,e
(x)) = x] = Pr[A single iteration of the loop of A
t
fails]
−1
N
< (1 −)
−1
N
< (e
−N
)
< δ
Note that since N = O(log(δ
−1
)) = O(δ
−1
), A
t
is a probabilistic algorithm which runs in time polynomial in
−1
, δ
−1
, and [n[.
Open Problem 2.32 It remains to determine whether a similar result holds if the probability is also taken
over the indices (n, e) ∈ I. Speciﬁcally, if , δ ∈ (0, 1) and A is a PTM such that
Pr[A(n, e, RSA
n,e
(x)) = x] >
(where the probability is taken over (n, e) ∈ I, x ∈ Z
∗
n
and the coin tosses of A), does there exist a PTM A
t
running in time polynomial in
−1
and δ
−1
such that
Pr[A
t
(n, e, RSA
n,e
(x)) = x] > 1 −δ
(where the probability is taken over (n, e) ∈ I and the coin tosses of A
t
)?
2.3.3 Connection Between The Factorization Problem And Inverting RSA
Fact 2.33 If some PPT algorithm A can factor n then there exists a PPT A
t
that can invert RSA
¹n,e)
.
The proof is obvious as φ(n) = (p −1)(q −1). The trapdoor information d can be found by using the extended
Euclidean algorithm because d = e
−1
mod φ(n).
Fact 2.34 If there exists a PTM B which on input 'n, e` ﬁnds d such that ed ≡ 1 mod φ(n) then there exists
a PTM, B
t
that can factor n.
Open Problem 2.35 It remains to determine whether inverting RSA and factoring are equivalent. Namely,
if there is a PTM C which, on input 'n, e`, can invert RSA
¹n,e)
, does there exist a PTM C
t
that can factor n?
The answer to this question is unknown. Note that Fact 2.34 does not imply that the answer is yes, as there
may be other methods to invert RSA which do not necessarily ﬁnd d.
Cryptography: Lecture Notes 29
2.3.4 The Squaring Trapdoor Function Candidate by Rabin
Rabin in [170] introduced a candidate trapdoor function which we call the squaring function. The squaring
function resemble the RSA function except that Rabin was able to actually prove that inverting the squaring
function is as hard as factoring integers. Thus, inverting the squaring function is a computation which is at
least as hard as inverting the RSA function and possibly harder.
Deﬁnition 2.36 Let I = ¦n = pq : p and q are distinct odd primes.¦. For n ∈ I, the squaring function
SQUARE
n
: Z
∗
n
−→ Z
∗
n
is deﬁned by SQUARE
n
(x) ≡ x
2
mod n. The trapdoor information of n = pq ∈ I is
t
n
= (p, q). We will denote the entire collection of Rabin’s functions by RABIN = ¦SQUARE
n
: Z
∗
n
−→ Z
∗
n
¦
n∈I
.
Remark 2.37 Observe that while Rabin’s function squares its input, the RSA function uses a varying exponent;
namely, e where gcd(e, φ(n)) = 1. The requirement that gcd(e, φ(n)) = 1 guarentees that the RSA function is
a permutation. On the other hand, Rabin’s function is 1 to 4 and thus it does not have a uniquely deﬁned
inverse. Speciﬁcally, let n = pq ∈ I and let a ∈ Z
∗
p
. As discussed in section C.4, if a ≡ x
2
mod p then x and −x
are the distinct square roots of a modulo p and if a ≡ y
2
mod q then y and −y are the distinct square roots of a
modulo q. Then, there are four solutions to the congruence a ≡ z
2
mod n, constructed as follows. Let c, d ∈ Z
n
be the Chinese Remainder Theorem coeﬃcients as discussed in Appendix C.4. Then
c =
1 mod p
0 mod q
and
d =
0 mod p
1 mod q
and the four solutions are cx +dy, cx −dy, −cx +dy, and −cx −dy.
The main result is that RABIN is a collection of strong one way trapdoor functions and the proof relies on an
assumption concerning the diﬃculty of factoring. We state this assumption now.
Factoring Assumption: Let H
k
= ¦pq : p and q are prime and [p[ = [q[ = k¦. Then for every polynomial Q
and every PTM A, ∃k
0
such that ∀k > k
0
Pr[A(n) = p : p [ n and p = 1, n] <
1
Q(k)
(where the probability is taken over all n ∈ H
k
and the coin tosses of A).
Our ultimate goal is to prove the following result.
Theorem 2.38 Under the factoring assumption, RABIN is a collection of one way trapdoor functions.
Before proving this, we consider two auxiliary lemmas. Lemma 2.39 constructs a polynomialtime machine A
which computes square roots modulo a prime. Lemma 2.42 constructs another polynomialtime machine, SQRT,
that inverts Rabin’s function using the trapdoor information; speciﬁcally, it computes a square root modulo
composites given the factorization. SQRT makes calls to A.
Lemma 2.39 Let p be an odd prime and let a be a square modulo p. There exists a probabilistic algorithm A
running in expected polynomial time such that A(p, a) = x where x
2
≡ a mod p.
Proof: Let p be an odd prime and let a be a quadratic residue in Z
∗
p
. There are two cases to consider;
p ≡ 1 mod 4 and p ≡ 3 mod 4.
Case 1 p ≡ 3 mod 4; that is, p = 4m+ 3 for some integer m.
30 Goldwasser and Bellare
Since a is a square we have 1 = J
p
(a) ≡ a
p−1
2
mod p =⇒ a
2m+1
≡ 1 mod p
=⇒ a
2m+2
≡ a mod p
Therefore, a
m+1
is a square root of a modulo p.
Case 2 p ≡ 1 mod 4; that is, p = 4m+ 1 for some integer m.
As in Case 1, we will attempt to ﬁnd an odd exponent e such that a
e
≡ 1 mod p.
Again, a is a square and thus 1 = J
p
(a) ≡ a
p−1
2
mod p =⇒ a
2m
≡ 1 mod p.
However, at this point we are not done as in Case 1 because the exponent on a in the above congruence is even.
But notice that a
2m
≡ 1 mod p =⇒ a
m
≡ ±1 mod p. If a
m
≡ 1 mod p with m odd, then we proceed as in Case
1.
This suggests that we write 2m = 2
l
r where r is an odd integer and compute a
2
l−i
r
mod p for i = 1, . . . , l with
the intention of reaching the congruence a
r
≡ 1 mod p and then proceeding as in Case 1. However, this is not
guarenteed as there may exist an integer l
t
satisfying 0 ≤ l
t
< l such that a
2
l
r
≡ −1 mod p. If this congruence is
encountered, we can recover as follows. Choose a quadratic nonresidue b ∈ Z
∗
p
. Then −1 = J
p
(b) ≡ b
p−1
2
mod p
and therefore a
2
l
r
b
2
l
r
= a
2
l
r
b
p−1
2
≡ 1 mod p. Thus, by multiplying by b
2
l
r
≡ −1 mod p, we obtain a new
congruence (a
r
b
2
l−l
r
)
2
l
≡ 1 mod p. We proceed by taking square roots in this congruence. Since l
t
< l, we will,
after l steps, arrive at a
r
b
2s
≡ 1 mod p where s is integral. At this point we have a
r+1
b
2s
≡ a mod p =⇒ a
r+1
2
b
s
is a square root of a mod p.
From the above discussion (Cases 1 and 2) we obtain a probabilistic algorithm A for taking square roots. The
algorithm A runs as follows on input a, p where J
p
(a) = 1.
(1) If p = 4m+ 3 for some integer m then output a
m+1
as a square root of a mod p.
(2) If p = 4m+1 for some integer m then randomly choose b ∈ Z
∗
p
until a value is found satisfying J
p
(b) = −1.
(1) Initialize i = 2m and j = 0.
(2) Repeat until i is odd.
i ←
i
2
and j ←
j
2
.
If a
i
b
j
= −1 then j ← j + 2m.
Output a
i+1
2
b
j
2
as a square root of a mod p.
This algorithm terminates after O(l) iterations because in step 2 (ii) the exponent on a is divided by 2. Note
also, that since exactly half of the elements in Z
∗
p
are quadratic nonresidues, it is expected that 2 iterations will
be required to ﬁnd an appropriate value for b at the beginning of step 2. Thus, A runs in expected polynomial
time and this completes the proof of Lemma 2.39.
Remark 2.40 There is a deterministic algorithm due to Ren´e Schoof (see [185]) which computes the square
root of a quadratic residue a modulo a prime p in time polynomial in [p[ and a (speciﬁcally, the algorithm
requires O((a
1
2
+
log p)
9
) elementary operations for any > 0). However, it is unknown whether there exists a
deterministic algorithm running in time polynomial in [p[.
Open Problem 2.41 Does there exist a deterministic algorithm that computes square roots modulo a prime
p in time polynomial in [p[?
Cryptography: Lecture Notes 31
The next result requires knowledge of the Chinese Remainder Theorem. The statement of this theorem as well
as a constructive proof is given in Appendix C.4. In addition, a more general form of the Chinese Remainder
Theorem is presented there.
Lemma 2.42 Let p and q be primes, n = pq and a a square modulo p. There exists a probabilistic algorithm
SQRT running in expected polynomial time such that SQRT(p, q, n, a) = x where x
2
≡ a mod n.
Proof: The algorithm SQRT will ﬁrst make calls to A, the algorithm of Lemma 2.39, to obtain square roots
of a modulo each of the primes p and q. It then combines these square roots, using the Chinese Remainder
Theorem, to obtain the required square root.
The algorithm SQRT runs as follows.
(1) Let A(p, a) = x
1
and A(q, a) = x
2
.
(2) Use the Chinese Remainder Theorem to ﬁnd (in polynomial time) y ∈ Z
n
such that y ≡ x
1
mod p and
y ≡ x
2
mod q and output y.
Algorithm SQRT runs correctly because y
2
≡
x
2
1
≡ a mod p
x
2
2
≡ a mod q
=⇒ y
2
≡ a mod n.
On the other hand, if the factors of n are unknown then the computation of square roots modulo n is as hard
as factoring n. We prove this result next.
Lemma 2.43 Computing square roots modulo n ∈ H
k
is as hard as factoring n.
Proof: Suppose that I is an algorithm which on input n ∈ H
k
and a a square modulo n outputs y such that
a ≡ y
2
mod n and consider the following algorithm B which on input n outputs a nontrivial factor of n.
(1) Randomly choose x ∈ Z
∗
n
.
(2) Set y = I(n, x
2
mod n).
(3) Check if x ≡ ±y mod n. If not then gcd(x −y, n) is a nontrivial divisor of n. Otherwise, repeat from 1.
Algorithm B runs correctly because x
2
≡ y
2
mod n =⇒ (x+y)(x−y) ≡ 0 mod n and so n[[(x+y)(x−y)]. But
n [ (x −y) because x ≡ y mod n and n [ (x +y) because x ≡ −y mod n. Therefore, gcd(x −y, n) is a nontrivial
divisor of n. Note also that the congruence a ≡ x
2
mod n has either 0 or 4 solutions (a proof of this result is
presented in Appendix C.4). Therefore, if I(n, x
2
) = y then x ≡ ±y mod n with probability
1
2
and hence the
above algorithm is expected to terminate in 2 iterations.
We are now in a position to prove the main result, Theorem 2.38.
Proof: For condition 1, deﬁne S
1
to ﬁnd on input 1
k
an integer n = pq where p and q are primes of equal length
and [n[ = k. The trapdoor information is the pair of factors (p, q).
For condition 2 in the deﬁnition of a collection of one way trapdoor functions, deﬁne S
2
to simply output x ∈ Z
∗
n
at random given n.
Condition 3 is true since the computation of x
2
mod n can be performed in polynomial time and condition 4
follows from the factoring assumption and Lemma 2.43.
Condition 5 follows by applying the algorithm SQRT from Lemma 2.42.
32 Goldwasser and Bellare
Lemma 2.43 can even be made stronger as we can also prove that if the algorithm I in the proof of Lemma 2.43
works only on a small portion of its inputs then we are still able to factor in polynomial time.
Proposition 2.44 Let , δ ∈ (0, 1) and let S ⊆ H
k
. Suppose there is a probabilistic algorithm I such that for
all n ∈ S
Pr[I(n, a) = x such that a ≡ x
2
mod n] >
(where the probability is taken over n ∈ S, a ∈ Z
∗
n
2
, and the coin tosses of I). Then there exists a probabilistic
algorithm FACTOR running in time polynomial in
−1
, δ
−1
, and [n[ such that for all n ∈ S,
Pr[FACTOR(n) = d such that d [ n and d = 1, n] > 1 −δ
(where the probability is taken over n and over the coins tosses of FACTOR).
Proof: Choose the smallest integer N such that
1
e
N
< δ.
Consider the algorithm FACTOR running as follows on inputs n ∈ S.
Repeat 2
−1
N times.
Randomly choose x ∈ Z
∗
n
.
Set y = I(n, x
2
mod n).
Check if x ≡ ±y mod n. If not then gcd(x −y, n) is a nontrivial divisor of n.
Otherwise, continue to the next iteration.
End loop
We can estimate the probability that FACTOR fails. Note that even when I(n, x
2
mod n) produces a square
root of x
2
mod n, FACTOR(n) will be successful exactly half of the time.
Pr[FACTOR(n) fails to factor n] = Pr[A single iteration of the loop of FACTOR fails]
−1
N
< (1 −
1
2
)
2
−1
N
< (e
−N
)
< δ
Since N = O(log(δ
−1
)) = O(δ
−1
), FACTOR is a probabilistic algorithm which runs in time polynomial in
−1
,
δ
−1
, and [n[.
2.3.5 A Squaring Permutation as Hard to Invert as Factoring
We remarked earlier that Rabin’s function is not a permutation. If n = pq where p and q are primes and
p ≡ q ≡ 3 mod 4 then we can reduce the Rabin’s function SQUARE
n
to a permutation g
n
by restricting its
domain to the quadratic residues in Z
∗
n
, denoted by Q
n
. This will yield a collection of one way permutations as
we will see in Theorem 2.3.5. This suggestion is due to Blum and Williams.
Deﬁnition 2.45 Let J = ¦pq : p = q are odd primes, [p[ = [q[, and p ≡ q ≡ 3 mod 4¦. For n ∈ J let the
function g
n
: Q
n
−→ Q
n
be deﬁned by g
n
(x) ≡ x
2
mod n and let BLUMWILLIAMS = ¦g
n
¦
n∈J
.
We will ﬁrst prove the following result.
Lemma 2.46 Each function g
n
∈ BLUMWILLIAMS is a permutation. That is, for every element y ∈ Q
n
there is a unique element x ∈ Q
n
such that x
2
= y mod n.
Cryptography: Lecture Notes 33
Proof: Let n = p
1
p
2
∈ J. Note that by the Chinese Remainder Theorem, y ∈ Q
n
if and only if y ∈ Q
n
and
y ∈ Q
p
1
and y ∈ Q
p
2
. Let a
i
and −a
i
be the square roots of y mod p
i
for i = 1, 2. Then, as is done in the proof
of the Chinese Remainder Theorem, we can construct Chinese Remainder Theorem coeﬃcients c
1
, c
2
such that
c
1
=
1 mod p
1
0 mod p
2
and c
2
=
0 mod p
1
1 mod p
2
and consequently, the four square
roots of y mod n are w
1
= c
1
a
1
+c
2
a
2
,
w
2
= c
1
a
1
−c
2
a
2
,
w
3
= −c
1
a
1
−c
2
a
2
= −(c
1
a
1
+c
2
a
2
) = −w
1
,
and w
4
= −c
1
a
1
+c
2
a
2
= −(c
1
a
1
−c
2
a
2
) = −w
2
.
Since p
1
≡ p
2
≡ 3 mod 4, there are integers m
1
and m
2
such that p
1
= 4m
1
+ 3 and p
2
= 4m
2
+ 3. Thus,
J
p
1
(w
3
) = J
p
1
(−w
1
) = J
p
1
(−1)J
p
1
(w
1
) = (−1)
p
1
−1
2
J
p
1
(w
1
) = −J
p
1
(w
1
) because
p1−1
2
is odd and similarly,
J
p1
(w
4
) = −J
p1
(w
2
), J
p2
(w
3
) = −J
p2
(w
1
), and J
p2
(w
4
) = −J
p2
(w
2
). Therefore, without loss of generality, we
can assume that J
p1
(w
1
) = J
p1
(w
2
) = 1 (and so J
p1
(w
3
) = J
p1
(w
4
) = −1).
Since only w
1
and w
2
are squares modulo p
1
it remains to show that only one of w
1
and w
2
is a square modulo
n or equivalently modulo p
2
.
First observe that J
p2
(w
1
) ≡ (w
1
)
p
2
−1
2
≡ (c
1
a
1
+c
2
a
2
)
2m
2
+1
≡ (a
2
)
2m
2
+1
mod p
2
and that J
p2
(w
2
) ≡ (w
2
)
p
2
−1
2
≡
(c
1
a
1
− c
2
a
2
)
2m
2
+1
≡ (−a
2
)
2m
2
+1
mod p
2
(because c
1
≡ 0 mod p
2
and c
2
≡ 1 mod p
2
). Therefore, J
p
2
(w
2
) =
−J
p
2
(w
1
). Again, without loss of generality, we can assume that J
p
2
(w
1
) = 1 and J
p
2
(w
2
) = −1 and hence, w
1
is the only square root of y that is a square modulo both p
1
and p
2
. Therefore, w
1
is the only square root of y
in Q
n
.
Theorem 2.47 [Williams, Blum] BLUMWilliams is a collection of oneway trapdoor permutations.
Proof: This follows immediately from Lemma 2.46 because each function g
n
∈ J is a permutation. The trapdoor
information of n = pq is t
n
= (p, q).
2.4 Hardcore Predicate of a One Way Function
Recall that f(x) does not necessarily hide everything about x even if f is a oneway function. E.g. if f is the
RSA function then it preserves the Jacobi symbol of x, and if f is the discrete logarithm function EXP then it is
easy to compute the least signiﬁcant bit of x from f(x) by a simple Legendre symbol calculation. Yet, it seems
likely that there is at least one bit about x which is hard to “guess” from f(x), given that x in its entirety is
hard to compute. The question is: can we point to speciﬁc bits of x which are hard to compute, and how hard
to compute are they. The answer is encouraging. A number of results are known which give a particular bit of
x which is hard to guess given f(x) for some particular f’s such as RSA and the discrete logarithm function.
We will survey these results in subsequent sections.
More generally, we call a predicate about x which is impossible to compute from f(x) better than guessing it
at random a hardcore predicate for f.
We ﬁrst look at a general result by Goldreich and Levin [98] which gives for any oneway function f a predicate
B such that it is as hard to guess B(x) from f(x) as it is to invert f.
Historical Note: The idea of a hardcore predicate for oneway functions was introduced by Blum, Goldwasser
and Micali. It ﬁrst appears in a paper by Blum and Micali [44] on pseduo random number generation. They
showed that a if the EXP function (f
p,g
(x) = g
x
(mod p)) is hard to invert then it is hard to even guess better
than guessing at random the most signiﬁcant bit of x. Under the assumption that quadratic residues are hard to
34 Goldwasser and Bellare
distinguish from quadratic nonresidues modulo composite moduli, Goldwasser and Micali in [102] showed that
the squaring function has a hard core perdicate as well. Subsequently, Yao [208] showed a general result that
given any one way function, there is a predicate B(x) which is as hard to guess from f(x) as to invert f for any
function f. Goldreich and Levin’s result is a signiﬁcantly simpler construction than Yao’s earlier construction.
2.4.1 Hard Core Predicates for General OneWay Functions
We now introduce the concept of a hardcore predicate of a function and show by explicit construction that any
strong one way function can be modiﬁed to have a hardcore predicate.
Note: Unless otherwise mentioned, the probabilities during this section are calculated uniformly over all coin
tosses made by the algorithm in question.
Deﬁnition 2.48 A hardcore predicate of a function f : ¦0, 1¦
∗
→ ¦0, 1¦
∗
is a boolean predicate B : ¦0, 1¦
∗
→
¦0, 1¦, such that
(1) ∃PPT A, such that ∀xA(x) = B(x)
(2) ∀ PPTG, ∀ constants c, ∃ k
0
, s.t. ∀
k>k
0
Pr[G(f(x)) = B(x)] <
1
2
+
1
k
c
.
The probability is taken over the random coin tosses of G, and random choices of x of length k.
Intuitively, the deﬁnition guarantees that given x, B(x) is eﬃciently computable, but given only f(x), it is hard
to even “guess” B(x); that is, to guess B(x) with a probability signiﬁcantly better than
1
2
.
Yao, in [208], showed that the existence of any trapdoor lengthpreserving permutation implies the existence
of a trapdoor predicate. Goldreich and Levin greatly simpliﬁed Yao’s construction and show that any oneway
function can be modiﬁed to have a trapdoor predicate as follows (we state a simple version of their general
result).
Theorem 2.49 [98] Let f be a (strong) length preserving oneway function. Deﬁne f
t
(x ◦ r) = f(x) ◦ r, where
[x[ = [r[ = k, and ◦ is the concatenation function. Then
B(x ◦ r) = Σ
k
i=1
x
i
r
i
(mod 2).
is a hardcore predicate for f
t
.
Note: v ◦ w denotes concatenation of strings v and w. Computing B from f
t
is trivial as f(x) and r are easily
recoveravle from f
t
(x, r). Finaly notice that if f is oneway then so is f
t
.
For a full proof of the theorem we refer the reader to [98].
It is trivial to extend the deﬁnition of a hardcore predicate for a one way function, to a collection of hard core
predicates for a collection of oneway functions.
Deﬁnition 2.50 A hardcore predicate of a oneway function collection F = ¦f
i
: D
i
→ R
i
¦
i∈I
is a collection
of boolean predicates B = ¦B
i
: D
i
→ R
i
¦
i∈I
such that
(1) ∃PPT A, such that ∀i, xA(i, x) = B
i
(x)
(2) ∀ PPTG, ∀ constants c, ∃ , k
0
, s.t. ∀
k>k
0
Pr[G(i, f
i
(x)) = B
i
(x)] <
1
2
+
1
k
c
.
The probability is taken over the random coin tosses of G, random choices of i ∈ I ∩ ¦0, 1¦
k
and random
x ∈ D
i
.
Cryptography: Lecture Notes 35
2.4.2 Bit Security Of The Discrete Logarithm Function
Let us examine the bit security of the EXP collection of functions directly rather than through the Goldreich
Levin general construction.
We will be interested in the most signiﬁcant bit of the discrete logarithm x of y modulo p.
For (p, g) ∈ I and y ∈ Z
∗
p
, let B
p,g
(y) =
0 if y = g
x
mod p
where 0 ≤ x <
p−1
2
1 if y = g
x
mod p
where
p−1
2
≤ x < p −1
.
We want to show that if for p a prime and g a generator of Z
∗
p
, EXP
p,g
(x) ≡ g
x
mod p is hard to invert,
then given y = EXP
p,g
(x), B
p,g
(y) is hard to compute in a very strong sense; that is, in attempting to compute
B
p,g
(y) we can do no better than essentially guessing its value randomly. The proof will be by way of a reduction.
It will show that if we can compute B
p,g
(y) in polynomial time with probability greater than
1
2
+ for some
nonnegligible > 0 then we can invert EXP
p,g
(x) in time polynomial in [p[, [g[, and
−1
. The following is a
formal statement of this fact.
Theorem 2.51 Let S be a subset of the prime integers. Suppose there is a polynomial Q and a PTM G such
that for all primes p ∈ S and for all generators g of Z
∗
p
Pr[G(p, g, y) = B
p,g
(y)] >
1
2
+
1
Q([p[)
(where the probability is taken over y ∈ Z
∗
p
and the coin tosses of G). Then for every polynomial P, there is a
PTM I such that for all primes p ∈ S, generators g of Z
∗
p
, and y ∈ Z
∗
p
Pr[I(p, g, y) = x such that y ≡ g
x
mod p] > 1 −
1
P([p[)
(where the probability is taken over the coin tosses of I).
We point to [44] for a proof of the above theorem.
As a corollary we immediately get the following.
Deﬁnition 2.52 Deﬁne MSB
p,g
(x) = 0 if 1 ≤ x <
p−1
2
and 1 otherwise for x ∈ Z
p−1
, and MSB =
¦MSB
p,g
(x) : Z
p−1
→ ¦0, 1¦¦
(p,g)∈I
. for I = ¦(p, g) : p is prime and g is a generator of Z
∗
p
¦.
Corollary 2.53 Under the strong DLA, MSB is a collection of hardcore predicates for EXP.
It can be shown that actually O(log log p) of the most signiﬁcant bits of x ∈ Z
p−1
are hidden by the function
EXP
p,g
(x). We state this result here without proof.
Theorem 2.54 For a PTM A, let
α = Pr[A(p, g, g
x
, x
log log p
x
log log p−1
. . . x
0
) = 0 [ x = x
]p]
. . . x
0
]
(where the probability is taken over x ∈ Z
∗
n
and the coin tosses of A) and let
β = Pr[A(p, g, g
x
, r
log log p
r
log log p−1
. . . r
0
) = 0 [ r
i
∈
R
¦0, 1¦]
(where the probability is taken over x ∈ Z
∗
n
, the coin tosses of A, and the bits r
i
). Then under the Discrete
Logarithm Assumption, we have that for every polynomial Q and every PTM A, ∃k
0
such that ∀k > k
0
,
[α −β[ <
1
Q(k)
.
36 Goldwasser and Bellare
Corollary 2.55 Under the Discrete Logarithm Assumption we have that for every polynomial Q and every
PTM A, ∃k
0
such that ∀k > k
0
and ∀k
p
< log log p
Pr[A(p, g, g
x
, x
kp
. . . x
0
) = x
kp+1
] <
1
2
+
1
Q(k)
(where the probability is taken over the primes p such that [p[ = k, the generators g of Z
∗
p
, x ∈ Z
∗
p
, and the coin
tosses of A).
For further information on the simultaneous or individual security of the bits associated with the discrete
logarithm see [136, 112].
2.4.3 Bit Security of RSA and SQUARING functions
Let I = ¦< n, e > — n = pq [p[ = [q[, (e, φ(n)) = 1¦ , and RSA = ¦RSA
<n,e>
: Z
∗
n
→ Z
∗
n
¦
<n,e>∈I
be the
collection of functions as deﬁned in 2.17.
Alexi, Chor, Goldreich and Schnoor [6] showed that guessing the least signiﬁcant bit of x from RSA
<n,e>
(x)
better than at random is as hard as inverting RSA.
Theorem 2.56 [6] Let S ⊂ I. Let c > 0. If there exists a probabilistic polynomialtime algorithm O such that
for (n, e) ∈ S,
prob(O(n, e, x
e
mod n) = least signiﬁcant bit of x mod n) ≥
1
2
+
1
k
c
(taken over coin tosses of O and random choices of x ∈ Z
∗
n
) Then there exists a probabilistic expected polynomial
time algorithm A such that for all n, e ∈ S, for all x ∈ Z
∗
n
, A(n, e, x
e
mod n) = x mod n.
Now deﬁne LSB = ¦LSB
<n,e>
: Z
∗
n
→ Z
∗
n
¦
<n,e>∈I
where LSB
<n,e>
(x) =least signiﬁcant bit of x.
A direct corollary to the above theorem is.
Corollary 2.57 Under the (strong) RSA assumption, LSB is a collection of hard core predicates for RSA.
A similar result can be shown for the most signifant bit of x and in fact for the log log n least (and most) signif
icant bits of x simultaneously. Moreover, similar results can be shown for the RABIN and BLUMWILLIAMS
collections. We refer to [6], [205] for the detailed results and proofs. Also see [84] for reductions of improved
security.
2.5 OneWay and Trapdoor Predicates
A oneway predicate, ﬁrst introduced in [101, 102] is a notion which preceeds hard core predicates for oneway
functions and is strongly related to it. It will be very useful for both design of secure encryption and protocol
design.
A oneway predicate is a boolean function B : ¦0, 1¦
∗
→ ¦0, 1¦ for which
(1) Sampling is possible: There exists a PPT algorithm that on input v ∈ ¦0, 1¦ and 1
k
, selects a random x
such that B(x) = v and [x[ ≤ k.
(2) Guessing is hard: For all c > 0, for all k suﬃciently large, no PPT algorithm given x ∈ ¦0, 1¦
k
can compute
B(x) with probability greater than
1
2
+
1
k
c
. (The probability is taken over the random choices made by
the adversary and x such that [x[ ≤ k.)
A trapdoor predicate is a oneway predicate for which there exists, for every k, trapdoor information t
k
whose
size is bounded by a polynomial in k and whose knowledge enables the polynomialtime computation of B(x),
Cryptography: Lecture Notes 37
for all x such that [x[ ≤ k.
Restating as a collection of oneway and trapdoor predicates is easy.
Deﬁnition 2.58 Let I be a set of indices and for i ∈ I let D
i
be ﬁnite. A collection of oneway predicates is a
set B = ¦B
i
: D
i
→ ¦0, 1¦¦
i∈I
satisfying the following conditions. Let D
v
i
= ¦x ∈ D
i
, B
i
(x) = v.
(1) There exists a polynomial p and a PTM S
1
which on input 1
k
ﬁnds i ∈ I ∩ ¦0, 1¦
k
.
(2) There exists a PTM S
2
which on input i ∈ I and v ∈ ¦0, 1¦ ﬁnds x ∈ D
i
such that B
i
(x) = v.
(3) For every PPT A there exists a negligble ν
A
such that ∀ k large enough
Pr
z = v : i
$
← I ∩ ¦0, 1¦
k
; v
$
← ¦0, 1¦ ; x
$
← D
v
i
; z
$
← A(i, x)
≤
1
2
+ν
A
(k)
Deﬁnition 2.59 Let I be a set of indices and for i ∈ I let D
i
be ﬁnite. A collection of trapdoor predicates is
a set B = ¦B
i
: D
i
→ ¦0, 1¦¦
i∈I
satisfying the following conditions. Let D
v
i
= ¦x ∈ D
i
, B
i
(x) = v.
(1) There exists a polynomial p and a PTM S
1
which on input 1
k
ﬁnds pairs (i, t
i
) where i ∈ I ∩ ¦0, 1¦
k
and
[t
i
[ < p(k) The information t
i
is referred to as the trapdoor of i.
(2) There exists a PTM S
2
which on input i ∈ I and v ∈ ¦0, 1¦ ﬁnds x ∈ D
i
such that B
i
(x) = v.
(3) There exists a PTM A
1
such that for i ∈ I and trapdoor t
i
, x ∈ D
i
A
1
(i, t
i
, x) = B
i
(x).
(4) For every PPT A there exists a negligble ν
A
such that ∀ k large enough
Pr
z = v : i
$
← I ∩ ¦0, 1¦
k
; v
$
← ¦0, 1¦ ; x
$
← D
v
i
; z ← A(i, x)
≤
1
2
+ν
A
(k)
Note that this deﬁnition implies that D
0
i
is roughly the same size as D
1
i
.
2.5.1 Examples of Sets of Trapdoor Predicates
A Set of Trapdoor Predicates Based on the Quadratic Residue Assumption
Let Q
n
denote the set of all quadratic residues (or squares) modulo n; that is, x ∈ Q
n
iﬀ there exists a y such
that x ≡ y
2
mod n.
Recall that the Jacobi symbol (J
n
(x)) is deﬁned for any x ∈ Z
∗
n
and has a value in ¦−1, 1¦; this value is easily
computed by using the law of quadratic reciprocity, even if the factorization of n is unknown. If n is prime
then x ∈ Q
n
⇔ (J
n
(x)) = 1; and if n is composite, x ∈ Q
n
⇒ (J
n
(x)) = 1. We let J
+1
n
denote the set
¦x [ x ∈ Z
∗
n
∧ (J
n
(x)) = 1¦ , and we let
˜
Q
n
denote the set of pseudosquares modulo n: those elements of J
+1
n
which do not belong to Q
n
. If n is the product of two primes then [Q
n
[ = [
˜
Q
n
[, and for any pseudosquare y
the function f
y
(x) = y x maps Q
n
onetoone onto
˜
Q
n
.
The quadratic residuousity problem is: given a composite n and x ∈ J
+1
n
, to determine whether x is a square
or a pseudosquare modulo n. This problem is believed to be computationally diﬃcult, and is the basis for a
number of cryptosystems.
The following theorem informally shows for every n, if the quadratic residusosity is hard to compute at all then
it is hard to distinguish between squares and nonsquares for almost everywhere.
38 Goldwasser and Bellare
Theorem 2.60 [101, 102]: Let S ⊂ ¦ns.t.n = pq, p, q, primes¦ If there exists a probabilistic polynomialtime
algorithm O such that for n ∈ S,
prob(O(n, x) decides correctly whether x ∈ J
+1
n
) >
1
2
+ , (2.1)
where this probability is taken over the choice of x ∈ J
+1
n
and O’s random choices, then there exists a probabilistic
algorithm B with running time polynomial in
−1
, δ
−1
and [n[ such that for all n ∈ S, for all x ∈ J
+1
n
,
prob(B(x, n) decides correctly whether x ∈ Q
n
[x ∈ J
+1
n
) > 1 −δ , (2.2)
where this probability is taken over the random coin tosses of B.
Namely, a probabilistic polynomialtime bounded adversary can not do better (except by a smaller than any
polynomial advantage) than guess at random whether x ∈ J
n
is a square mod n, if quadratic residuosity problem
is not in polynomial time.
This suggests immediately the following set of predicates: Let
QR
n,z
(x) =
0 if x is a square mod n
1 if x is a nonsquare mod n
where QR
n,z
: J
+1
n
→ ¦0, 1¦ and I
k
= ¦n#z [ n = pq, [p[ = [q[ =
k
2
, p and q primes, (J
n
(z)) = +1, z a non
square mod n¦. It is clear that QR = ¦QR
n,z
¦ is a set of trapdoor predicates where the trapdoor information
associated with every index < n, z > is the factorization < p, q >. Lets check this explicitly.
(1) To select pairs (i, t
i
) at random, ﬁrst pick two primes, p and q, of size
k
2
at random, determining n.
Next, search until we ﬁnd a nonsquare z in Z
∗
n
with Jacobi symbol +1. The pair we have found is then
(< n, z >, < p, q >). We already know how to do all of these operations in expected polynomial time .
(2) Follows from the existence of the following algorithm to select elements out of D
v
n,z
:
• To select x ∈ D
0
n,z
, let x = y
2
mod n where y is an element of Z
∗
n
chosen at random.
• To select x ∈ D
1
n,z
, let x = zy
2
mod n where y is an element of Z
∗
n
chosen at random.
(3) To compute QR
n,z
(x) given < p, q >, we compute (J
p
(x)) and (
x
q
). If both are +1 then QR
n,z
(x) is 0,
otherwise it is 1.
(4) This follows from the Quadaratic Residuosity Assumption and the above theorem.
A Set of Trapdoor Predicates Based on the RSA Assumption
Deﬁne B
n,e
(x) = the least signiﬁcant bit of x
d
mod n for x ∈ Z
∗
n
where ed = 1 mod φ(n). Then, to select
uniformly an x ∈ Z
∗
n
such that B
n,e
(x) = v simply select a y ∈ Z
∗
n
whose least signiﬁcant bit is v and set
x = y
e
mod n. Given d it is easy to compute B
n,e
(x) = least signiﬁcant bit of x
d
mod n.
The security of this construction follows trivially from the deﬁnition of collection of hard core predicates for the
RSA collection of functions.
C h a p t e r 3
Pseudorandom bit generators
In this chapter, we discuss the notion of pseudorandom generators. Intuitively, a PSRG is a deterministic
program used to generate long sequence of bits which looks like random sequence, given as input a short random
sequence (the input seed).
The notion of PSRG has applications in various ﬁelds:
Cryptography:
In the case of private key encryption, Shannon showed (see lecture 1) that the length of the clear text
should not exceed the length of the secret key, that is, the two parties have to agree on a very long string
to be used as the secret key. Using a PSRG G, they need to agree only on a short seed r, and exchange
the message G(r)
¸
m.
Algorithms Design:
An algorithm that uses a source of random bits, can manage with a shorter string, used as a seed to a
PSRG.
Complexity Theory:
Given a probabilistic algorithm, an important question is whether we can make it deterministic. Using the
notion of a PSRG we can prove, assuming the existence of oneway function that BPP ⊆ ∩
DTIME(2
n
)
In this chapter we will deﬁne good pseudo random number generators and give constructions of them under the
assumption that one way functions exist.
We ﬁrst ask where do can we actually ﬁnd truly random bit sequences.
1
3.0.2 Generating Truly Random bit Sequences
Generating a onetime pad (or, for that matter, any cryptographic key) requires the use of a “natural” source
of random bits, such as a coin, a radioactive source or a noise diode. Such sources are absolutely essential for
providing the initial secret keys for cryptographic systems.
However, many natural sources of random bits may be defective in that they produce biased output bits (so
that the probability of a one is diﬀerent than the probability of a zero), or bits which are correlated with each
other. Fortunately, one can remedy these defects by suitably processing the output sequences produced by the
natural sources.
1
some of the preliminary discussion in the following three subsections is taken from Rivest’s survey article on cryptography
which appears in the handbook of computer science
39
40 Goldwasser and Bellare
To turn a source which supplies biased but uncorrelated bits into one which supplies unbiased uncorrelated bits,
von Neumann proposed grouping the bits into pairs, and then turning 01 pairs into 0’s, 10 pairs into 1’s, and
discarding pairs of the form 00 and 11 [206]. The result is an unbiased uncorrelated source, since the 01 and 10
pairs will have an identical probability of occurring. Elias [79] generalizes this idea to achieve an output rate
near the source entropy.
Handling a correlated bit source is more diﬃcult. Blum [42] shows how to produce unbiased uncorrelated bits
from a biased correlated source which produces output bits according to a known ﬁnite Markov chain.
For a source whose correlation is more complicated, Santha and Vazirani [182] propose modeling it as a slightly
random source, where each output bit is produced by a coin ﬂip, but where an adversary is allowed to choose
which coin will be ﬂipped, from among all coins whose probability of yielding “Heads” is between δ and 1 −δ.
(Here δ is a small ﬁxed positive quantity.) This is an extremely pessimistic view of the possible correlation;
nonetheless U. Vazirani [203] shows that if one has two, independent, slightlyrandom sources X and Y then
one can produce “almost independent” biased bits by breaking the outputs of X and Y into blocks x, y of
length k = Ω(1/δ
2
log(1/δ) log(1/)) bits each, and for each pair of blocks x, y producing as output the bit x y
(the inner product of x and y over GF(2)). This is a rather practical and elegant solution. Chor and Goldreich
[58] generalize these results, showing how to produce independent biased bits from even worse sources, where
some output bits can even be completely determined.
These results provide eﬀective means for generating truly random sequences of bits—an essential requirement
for cryptography—from somewhat defective natural sources of random bits.
3.0.3 Generating PseudoRandom Bit or Number Sequences
The onetime pad is generally impractical because of the large amount of key that must be stored. In practice, one
prefers to store only a short random key, from which a long pad can be produced with a suitable cryptographic
operator. Such an operator, which can take a short random sequence x and deterministically “expand” it into
a pseudorandom sequence y, is called a pseudorandom sequence generator. Usually x is called the seed for the
generator. The sequence y is called “pseudorandom” rather than random since not all sequences y are possible
outputs; the number of possible y’s is at most the number of possible seeds. Nonetheless, the intent is that for
all practical purposes y should be indistinguishable from a truly random sequence of the same length.
It is important to note that the use of pseudorandom sequence generator reduces but does not eliminate the
need for a natural source of random bits; the pseudorandom sequence generator is a “randomness expander”,
but it must be given a truly random seed to begin with.
To achieve a satisfactory level of cryptographic security when used in a onetime pad scheme, the output of the
pseudorandom sequence generator must have the property that an adversary who has seen a portion of the
generator’s output y must remain unable to eﬃciently predict other unseen bits of y. For example, note that an
adversary who knows the ciphertext C can guess a portion of y by correctly guessing the corresponding portion
of the message M, such as a standardized closing “Sincerely yours,”. We would not like him thereby to be able
to eﬃciently read other portions of M, which he could do if he could eﬃciently predict other bits of y. Most
importantly, the adversary should not be able to eﬃciently infer the seed x from the knowledge of some bits of
y.
How can one construct secure pseudorandom sequence generators?
Classical Pseudorandom Generators are Unsuitable
Classical techniques for pseudorandom number generation [125, Chapter 3] which are quite useful and eﬀective
for Monte Carlo simulations are typically unsuitable for cryptographic applications. For example, linear feedback
shift registers [108] are wellknown to be cryptographically insecure; one can solve for the feedback pattern given
a small number of output bits.
Linear congruential random number generators are also insecure. These generators use the recurrence
X
i+1
= aX
i
+b (mod m) (3.1)
Cryptography: Lecture Notes 41
to generate an output sequence ¦X
0
, X
1
, . . .¦ from secret parameters a, b, and m, and starting point X
0
. It
is possible to infer the secret parameters given just a few of the X
i
[163]. Even if only a fraction of the bits
of each X
i
are revealed, but a, b, and m are known, Frieze, H˚astad, Kannan, Lagarias, and Shamir show how
to determine the seed X
0
(and thus the entire sequence) using the marvelous lattice basis reduction (or “L
3
”)
algorithm of Lenstra, Lenstra, and Lov´asz [87, 132].
As a ﬁnal example of the cryptographic unsuitability of classical methods, Kannan, Lenstra, and Lovasz
[122] use the L
3
algorithm to show that the binary expansion of any algebraic number y (such as
√
5 =
10.001111000110111 . . .) is insecure, since an adversary can identify y exactly from a suﬃcient number of bits,
and then extrapolate y’s expansion.
3.0.4 Provably Secure PseudoRandom Generators: Brief overview
This section provides a brief overview of the history of the modern history of pseudo random bit generators.
Subsequent section deﬁne these concepts formally and give constructions.
The ﬁrst pseudorandom sequence generator proposed for which one can prove that it is impossible to predict
the next number in the sequence from the previous numbers assuming that it is infeasible to invert the RSA
function is due to Shamir [189]. However, this scheme generates a sequence of numbers rather than a sequence
of bits, and the security proof shows that an adversary is unable to predict the next number, given the previous
numbers output. This is not strong enough to prove that, when used in a onetime pad scheme, each bit of the
message will be wellprotected.
Blum and Micali [44] introduced the ﬁrst method for designing provably secure pseudorandom bit sequence
generators, based on the use of oneway predicates. They call a pseudorandom bit generator secure if an
adversary cannot guess the next bit in the sequence from the preﬁx of the sequence, better than guessing at
random. Blum and Micali then proposed a particular generator based on the diﬃculty of computing discrete
logarithms. Blum, Blum, and Shub [39] propose another generator, called the squaring generator, which is
simpler to implement and is provably secure assuming that the quadratic residuosity problem is hard. Alexi,
Chor, Goldreich, and Schnorr [6] show that the assumption that the quadratic residuosity problem is hard can
be replaced by the weaker assumption that factoring is hard. A related generator is obtained by using the
RSA function. Kaliski shows how to extend these methods so that the security of the generator depends on
the diﬃculty of computing elliptic logarithms; his techniques also generalize to other groups [120, 121]. Yao
[208] shows that the pseudorandom generators deﬁned above are perfect in the sense that no probabilistic
polynomialtime algorithm can guess with probability greater by a nonnegligible amount than 1/2 whether an
input string of length k was randomly selected from ¦0, 1¦
k
or whether it was produced by one of the above
generators. One can rephrase this to say that a generator that passes the nextbit test is perfect in the sense that
it will pass all polynomialtime statistical tests. The BlumMicali and BlumBlumShub generators, together
with the proof of Yao, represent a major achievement in the development of provably secure cryptosystems.
Impagliazzo, Luby, Levin and H˚astad show that actually the existence of a oneway function is equivalent to
the existence of a pseudo random bit generator which passes all polynomial time statistical tests.
3.1 Deﬁnitions
Deﬁnition 3.1 Let X
n
, Y
n
be probability distributions on ¦0, 1¦
n
(That is, by t ∈ X
n
we mean that t ∈ ¦0, 1¦
n
and it is selected according to the distribution X
n
). We say that ¦X
n
¦ is polytime indistinguishable from
¦Y
n
¦ if ∀PTM A, ∀ polynomial Q, ∃n
0
, s.t ∀n > n
0
,
[ Pr
t∈X
n
(A(t) = 1) − Pr
t∈Y
n
(A(t) = 1)[ <
1
Q(n)
i.e., for suﬃciently long strings, no PTM can tell whether the string was sampled according to X
n
or according
to Y
n
.
42 Goldwasser and Bellare
Intuitively, Pseudo random distribution would be a indistinguishable from the uniform distribution. We denote
the uniform probability distribution on ¦0, 1¦
n
by U
n
. That is, for every α ∈ ¦0, 1¦
n
, Pr
x∈U
n
[x = α] =
1
2
n
.
Deﬁnition 3.2 We say that ¦X
n
¦ is pseudo random if it is polytime indistinguishable from ¦U
n
¦. That is,
∀PTM A, ∀ polynomial Q, ∃n
0
, such that ∀n > n
0
,
[ Pr
t∈Xn
[A(t) = 1] − Pr
t∈Un
[A(t) = 1][ <
1
Q(n)
Comments:
The algorithm A used in the above deﬁnition is called a polynomial time statistical test. (Knuth, vol. 2, suggests
various examples of statistical tests). It is important to note that such a deﬁnition cannot make sense for a
single string, as it can be drawn from either distribution.
If ∃A and Q such that the condition in deﬁnition 2 is violated, we say that X
n
fails the test A.
Deﬁnition 3.3 A polynomial time deterministic program G : ¦0, 1¦
k
→ ¦0, 1¦
ˆ
k
is a pseudorandom generator
(PSRG) if the following conditions are satisﬁed.
1.
ˆ
k > k
2. ¦G
ˆ
k
¦
ˆ
k
is pseudorandom where G
ˆ
k
is the distribution on ¦0, 1¦
ˆ
k
obtained as follows: to get t ∈ G
ˆ
k
:
pick x ∈ U
k
set t = G(x)
That is, ∀PTMA, ∀ polynomial Q, ∀ suﬃciently large k,
[ Pr
t∈G
ˆ
k
(A(t) = 1) − Pr
t∈U
ˆ
k
(A(t) = 1)[ <
1
Q(
ˆ
k)
(3.2)
3.2 The Existence Of A PseudoRandom Generator
Next we prove the existence of PSRG’s, if lengthpreserving one way permutations exist. It has been shown
that if oneway functions exist (without requiring them to be lengthpreserving permutations) then oneway
functions exist, but we will not show this here.
Theorem 3.4 Let f : ¦0, 1¦
∗
→ ¦0, 1¦
∗
be a length preserving oneway permutation. Then
1. ∃ PSRG G : ¦0, 1¦
k
→ ¦0, 1¦
k+1
(such G is called an extender).
2. ∀ polynomial Q, ∃ PSRG G
Q
: ¦0, 1¦
k
→ ¦0, 1¦
Q(k)
.
Proof:
Proof of 1: Let f be as above. Let B be the hard core bit of f. (that is, B is a boolean predicate, B :
¦0, 1¦
∗
→ ¦0, 1¦, s.t it is eﬃcient to compute B(x) given x, but given only f(x), it is hard to compute B(x)
with probability greater than
1
2
+ for nonnegligible . ) Recall that we showed last class that every OWF
Cryptography: Lecture Notes 43
f(x) can be converted into f
1
(x, r) for which B
t
(x, r) =
¸
]x]
1
x
i
r
i
mod 2 is a hard core bit. For notational ease,
assume that B is already a hardcore bit for f.
Deﬁne
G
1
(x) = f(x) ◦ B(x)
(◦ denotes the string concatenation operation). We will prove that G
1
(x) has the required properties. Clearly,
G
1
is computed in polytime, and for [x[ = k, [G
1
(x)[ = k +1. It remains to show that the distribution ¦G
1
k+1
¦
is pseudo random.
Intuition : Indeed, knowing f(x) should not help us to predict B(x). As f is a permutation, f(U
k
) is uniform
on ¦0, 1¦
k
, and any separation between U
k+1
and G
k+1
must caused by the hard core bit. We would like to
show that any such separation would enable us to predict B(x) given only f(x) and obtain a contradiction to
B being a hard core bit for f.
We proceed by contradiction: Assume that (G is not good) ∃ statistical test A, polynomial Q s.t
Pr
t∈G
k+1
(A(t) = 1) − Pr
t∈U
k+1
(A(t) = 1) >
1
Q(k + 1)
(Note that we have dropped the absolute value from the inequality 3.2. This can be done wlog. We will later
see what would change if the the other direction of the inequality were true).
Intuitively, we may thus interpret that if A answers 1 on a string t it is more likely that t is drawn from
distribution G
k+1
, and if A answers 0 on string t that it is more likely that t is drawn from distribution U
k+1
.
We note that the probability that A(f(x) ◦ b) returns 1, is the sum of the weighted probability that A returns
1 conditioned on the case that B(x) = b and conditioned on the case B(x) = 1. By, the assumed separation
above, we get that it is more likely that A(f(x) ◦ b) will return 1 when b = B(x). This easily translates to an
algorithm for predicting the hard core bit of f(x).
Formally, we have
Pr
x∈U
k
,b∈U1
[A(f(x) ◦ b) = 1] = Pr[A(f(x) ◦ b) = 1 [ b = B(x)] Pr[b = B(x)]
+ Pr[A(f(x) ◦ b) = 1 [ b = B(x)] Pr[b = B(x)]
=
1
2
(α +β)
where α = Pr[A(f(x) ◦ b) = 1 [ b = B(x)] and β = Pr[A(f(x) ◦ b) = 1 [ b = B(x)].
From the assumption we therefore get
Pr
x∈U
k
[A(f(x) ◦ B(x)) = 1] −Pr
x∈U
k
[A(f(x) ◦ b) = 1] = α −
1
2
(α +β)
=
1
2
(α −β)
>
1
Q(k)
.
We now exhibit a polynomial time algorithm A
t
that on input f(x) computes B(x) with success probability
signiﬁcantly better than 1/2.
A
t
takes as input f(x) and outputs either a 0 or 1.
1. choose b ∈ ¦0, 1¦
2. run A(f(x) ◦ b)
44 Goldwasser and Bellare
3. If A(f(x) ◦ b) = 1, output b, otherwise output b.
Notice that, when dropping the absolute value from the inequality 3.2, if we take the second direction we just
need to replace b by b in the deﬁnition of A
t
.
Claim 3.5 Pr[A
t
(f(x) = B(x))] >
1
2
+
1
Q(k)
.
Proof:
Pr[A
t
(f(x) = b)] Pr[A(f(x) ◦ b) = 1 [ b = B(x)] Pr[b = B(x))
Pr[A(f(x) ◦ b) = 0[b = B(x)) Pr[b = B(x)]
+
1
2
α +
1
2
(1 −β)
=
1
2
+
1
2
(α −β)
>
1
2
+
1
Q(k)
.
This contradicts the hardness of computing B(x). It follows that G
1
is indeed a PSRG.
Proof of 2: Given a PSRG G that expands random strings of length k to pseudorandom strings of length
k +1, we need to show that, ∀ polynomial Q, ∃ PSRGG
Q
: ¦0, 1¦ → ¦0, 1¦
Q(k)
. We deﬁne G
Q
by ﬁrst using G
Q(k) times as follows:
x → G → f(x) ◦ B(x)
f(x) ◦ B(x) → G → f(f(x)) ◦ B(f(x))
f
2
(x) ◦ B(f(x)) → G → f
3
(x) ◦ B(f
2
(x))
•
•
•
f
Q(k)−2
(x) ◦ B(f
Q(k)−1
(x)) → G → f
Q(k)
(x) ◦ B(f
Q(k)−1
(x))
The output of G
Q
(x) is the concatenation of the last bit from each string i.e.,
G
Q
(x) = B(x) ◦ B(f(x)) ◦ ◦ B(f
Q(k)−1
(x) =
b
G
1
(x) ◦ b
G
2
(x) ◦ ◦ b
G
Q(]x])
(x)
Clearly, G
Q
is polytime and it satisﬁes the length requirements. We need to prove that the distribution
generated by G
Q
, G
Q
(U
k
), is polytime indistinguishable from U
Q(k)
. We proceed by contradiction, (and show
that it implies that G is not PSRG)
If G
Qk
is not polytime indistinguishable from U
Q(k)
, ∃ statistical test A, and ∃ polynomial P , s.t.
Pr
t∈G
Q(k)
(A(t) = 1) − Pr
t∈U
Q(k)
(A(t) = 1) >
1
P(k)
(As before we omit the absolute value). We now deﬁne a sequence D
1
, D
2
, ..., D
Q(k)
of distributions on ¦0, 1¦
Q(k)
,
s.t. D
1
is uniform (i.e. strings are random), D
Q(k)
= G
Q(k)
, and the intermediate D
i
’s are distributions
composed of concatenation of random followed by pseudorandom distributions. Speciﬁcally,
Cryptography: Lecture Notes 45
t ∈ D
1
is obtained by letting t = s where s ∈ U
Q(k)
t ∈ D
2
is ontained by letting t = s ◦ B(x) where s ∈ U
Q(k)−1
, x ∈ U
k
t ∈ D
3
is ontained by letting t = s ◦ B(x) ◦ B(f(x)) where s ∈ U
Q(k)−2
, x ∈ U
k
•
•
•
t ∈ D
Q(k)
is ontained by letting t = B(x)... ◦ B(f
Q(k)−1
(x)) where x ∈ U
k
Since the sequence ‘moves’ from D
1
= U
Q(k)
to D
Q(k)
= G
Q(k)
, and we have an algorithms A that distinguishes
between them, there must be two successive distributions between which A distinguishes.
i.e. ∃ i, 1 ≤ i ≤ Q(k), s.t.
Pr
t∈Di
(A(t) = 1) − Pr
t∈Di+1
(A(t) = 1) >
1
P(k)Q(k)
We now present a polytime algorithm A
t
that distinguishes between U
k+1
and G
k+1
, with success probability
signiﬁcantly better than
1
2
, contradicting the fact that G is a PSRG.
A
t
works as follows on input α = α
1
α
2
...α
k+1
= α
t
◦ b
1. Choose 1 ≤ i ≤ q(k) at random.
2. Let
t = γ
1
◦ ... ◦ γ
Q(k)−i−1
◦ b ◦ b
G
1
(α
t
) ◦ b
G
2
(α
t
) ◦ ... ◦ b
G
i
(α
t
)
where the γ
j
are chosen randomly.
(Note that t ∈ D
i
if α
t
◦ b ∈ U
k+1
, and that t ∈ D
i+1
if α
t
◦ b ∈ G
k+1
.)
3. We now run A(t). If we get 1, A
t
returns 0 If we get 0, A
t
returns 1
(i.e if A returns 1, it is interpreted as a vote for D
i
and therefore for b = B(α‘) and α ∈ U
k+1
. On the
other hand, if A returns 0, it is interpreted as a vote for D
i+1
and therefore for b = B(α
t
) and α ∈ G
k+1
.)
It is immediate that:
Pr
α∈U
k+1
(A
t
(α) = 1) − Pr
α∈G
k+1
(A
t
(α) = 1) >
1
P(k)Q
2
(k)
The extra
1
Q(k)
factor comes form the random choice of i. This violates the fact that G was a pseudo random
generator as we proved in part 1. This is a contradiction
3.3 Next Bit Tests
If a pseudorandom bit sequence generator has the property that it is diﬃcult to predict the next bit from
previous ones with accuracy greater than
1
2
by a nonnegligible amount in time polynomial in the size of the
seed, then we say that the generator passes the “nextbit” test.
Deﬁnition 3.6 A next bit test is a special kind of statistical test which takes as input a preﬁx of a sequence
and outputs a prediction of the next bit.
Deﬁnition 3.7 A (discrete) probability distribution on a set S is a function D : S → [0, 1] ⊂ R so that
¸
s∈S
D(s) = 1. For brevity, probability distributions on ¦0, 1¦
k
will be subscripted with a k. The notation
x ∈ X
n
means that x is chosen so that ∀z ∈ ¦0, 1¦
n
Pr[x = z] = X
n
(z). In what follows, U
n
is the uniform
distribution.
Recall the deﬁnition of a pseudorandom number generator:
46 Goldwasser and Bellare
Deﬁnition 3.8 A pseudorandom number generator (PSRG) is a polynomial time deterministic algorithm so
that:
1. if [x[ = k then [G(x)[ =
ˆ
k
2.
ˆ
k > k,
3. G
ˆ
k
is pseudorandom
2
, where G
ˆ
k
is the probability distribution induced by G on ¦0, 1¦
ˆ
k
.
Deﬁnition 3.9 We say that a pseudorandom generator passes the next bit test A if for every polynomial Q
there exists ,an integer k
0
such that for all
ˆ
k > k
0
and p <
ˆ
k
Pr
t∈G
ˆ
k
[A(t
1
t
2
. . . t
p
) = t
p+1
] <
1
2
+
1
Q(k)
Theorem 3.10 G passes all next bit tests ⇔ G passes all statistical tests.
Proof:
(⇐) Trivial.
(⇒) Suppose, for contradiction, that G passes all next bit test but fails some statistical test A. We will use
A to construct a next bit test A
t
which G fails. Deﬁne an operator on probability distributions so that
[X
n
Y
m
](z) = X
n
(z
n
) Y
m
(z
m
) where z = z
n
◦ z
m
, [z
n
[ = n, [z
m
[ = m (◦ is concatenation). For j ≤
ˆ
k
let G
j,
ˆ
k
be the probability distribution induced by G
ˆ
k
on ¦0, 1¦
j
by taking preﬁxes. (That is G
j,
ˆ
k
(x) =
¸
z∈¦0,1¦
ˆ
k
,z extends x
G
ˆ
k
(z).)
Deﬁne a sequence of distributions H
i
= G
i,
ˆ
k
U
ˆ
k−i
on ¦0, 1¦
ˆ
k
of “increasing pseudorandomness.” Then H
0
= U
ˆ
k
and H
ˆ
k
= G
ˆ
k
. Because G fails A, A can diﬀerentiate between U
ˆ
k
= H
0
and G
ˆ
k
= H
ˆ
k
; that is, ∃Q ∈ O[x] so that
[Pr
t∈H
0
[A(t) = 1] − Pr
t∈H
ˆ
k
[A(t) = 1][ >
1
Q(k)
. We may assume without loss of generality that A(t) = 1 more
often when t is chosen from U
ˆ
k
(otherwise we invert the output of A) so that we may drop the absolute value
markers on the left hand side. Then ∃i, 0 ≤ i ≤
ˆ
k −1 so that Pr
t∈H
i
[A(t) = 1] −Pr
t∈H
i+1
[A(t) = 1] >
1
ˆ
kQ(k)
.
The next bit test A
t
takes t
1
t
2
. . . t
i
and outputs a guess for t
i+1
. A
t
ﬁrst constructs
s
0
= t
1
t
2
. . . t
i
0r
i+2
r
i+3
. . . r
ˆ
k
s
1
= t
1
t
2
. . . t
i
1ˆ r
i+2
ˆ r
i+3
. . . ˆ r
ˆ
k
where r
j
and ˆ r
j
are random bits for i + 2 ≤ j ≤
ˆ
k. A
t
then computes A(s
0
) and A(s
1
).
If A(s
0
) = A(s
1
), then A
t
outputs a random bit.
If 0 = A(s
0
) = A(s
1
), then A
t
outputs 0.
If 1 = A(s
0
) = A(s
1
), then A
t
outputs 1.
Claim 3.11 By analysis similar to that done in the previous lecture, Pr[A
t
(t
1
t
2
. . . t
i
) = t
i+1
] >
1
2
+
1
ˆ
kQ(k)
.
2
A pseudorandom distribution is one which is polynomial time indistinguishable from U
ˆ
k
Cryptography: Lecture Notes 47
Thus we reach a contradiction: A
t
is a next bit test that G fails, which contradicts our assumption that G
passes all next bit tests.
3.4 Examples of PseudoRandom Generators
Each of the one way functions we have discussed induces a pseudorandom generator. Listed below are these
generators (including the Blum/Blum/Shub generator which will be discussed afterwards) and their associated
costs. See [44, 39, 176].
Name One way function Cost of computing Cost of computing
one way function j
th
bit of generator
RSA x
e
mod n, n = pq k
3
jk
3
Rabin x
2
mod n, n = pq k
2
jk
2
Blum/Micali EXP(p, g, x) k
3
jk
3
Blum/Blum/Shub (see below) k
2
max(k
2
log j, k
3
)
3.4.1 Blum/Blum/Shub PseudoRandom Generator
The Blum/Blum/Shub pseudorandom generator uses the (proposed) one way function g
n
(x) = x
2
mod n where
n = pq for primes p and q so that p ≡ q ≡ 3 mod 4. In this case, the squaring endomorphism x → x
2
on Z
∗
n
restricts to an isomorphism on (Z
∗
n
)
2
, so g
n
is a permutation on (Z
∗
n
)
2
. (Recall that every square has a unique
square root which is itself a square.)
Claim 3.12 The least signiﬁcant bit of x is a hard bit for the one way function g
n
.
The j
th
bit of the Blum/Blum/Shub generator may be computed in the following way:
B(x
2
j
mod n) = B(x
α
mod m)
where α ≡ 2
j
mod φ(n). If the factors of n are known, then φ(n) = (p −1)(q −1) may be computed so that α
may be computed prior to the exponentiation. α = 2
j
mod φ(n) may be computed in O(k
2
log j) time and x
α
may be be computed in k
3
time so that the computation of B(x
2
j
) takes O(max(k
3
, k
2
log j)) time.
An interesting feature of the Blum/Blum/Shub generator is that if the factorization of n is known, the 2
√
n th
bit can be generated in time polynomial in [n[. The following question can be raised: let G
BBS
(x, p, q) =
B(f
2
√
n
(x)) ◦ . . . ◦ B(f
2
√
n
+2k
(x)) for n = pq and [x[ = k. Let G
BBS
2k
be the distribution induced by G
BBS
on
¦0, 1¦
2k
.
Open Problem 3.13 Is this distribution G
BBS
2k
pseudorandom? Namely, can you prove that
∀Q ∈ Q[x], ∀PTM A, ∃k
0
, ∀k > k
0
[Pr
t∈G
BBS
2k
[A(t) = 1] −Pr
t∈U
2k
[A(t) = 1][ <
1
Q(2k)
The previous proof that G is pseudorandom doesn’t work here because in this case the factorization of n is
part of the seed so no contradiction will be reached concerning the diﬃculty of factoring.
More generally,
Open Problem 3.14 Pseudorandom generators, given seed x, implicitly deﬁne an inﬁnite string g
x
1
g
x
2
. . ..
Find a pseudorandom generator so that the distribution created by restricting to any polynomially selected
subset of bits of g
x
is pseudorandom. By polynomially selected we mean examined by a polynomial time
machine which can see g
x
i
upon request for a polynomial number of i’s (the machine must write down the i’s,
restricting [i[ to be polynomial in [x[).
C h a p t e r 4
Block ciphers
Block ciphers are the central tool in the design of protocols for sharedkey cryptography (aka. symmetric)
cryptography. They are the main available “technology” we have at our disposal. This chapter will take a look
at these objects and describe the state of the art in their construction.
It is important to stress that block ciphers are just tools—raw ingredients for cooking up something more useful.
Block ciphers don’t, by themselves, do something that an enduser would care about. As with any powerful
tool, one has to learn to use this one. Even an excellent block cipher won’t give you security if you use don’t use
it right. But used well, these are powerful tools indeed. Accordingly, an important theme in several upcoming
chapters will be on how to use block ciphers well. We won’t be emphasizing how to design or analyze block
ciphers, as this remains very much an art.
This chapter gets you acquainted with some typical block ciphers, and discusses attacks on them. In particular
we’ll look at two examples, DES and AES. DES is the “old standby.” It is currently the most widelyused block
cipher in existence, and it is of suﬃcient historical signiﬁcance that every trained cryptographer needs to have
seen its description. AES is a modern block cipher, and it is expected to supplant DES in the years to come.
4.1 What is a block cipher?
A block cipher is a function E: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
. This notation means that E takes two inputs, one
being a kbit string and the other an nbit string, and returns an nbit string. The ﬁrst input is the key. The
second might be called the plaintext, and the output might be called a ciphertext. The keylength k and the
blocklength n are parameters associated to the block cipher. They vary from block cipher to block cipher, as
of course does the design of the algorithm itself.
For each key K ∈ ¦0, 1¦
k
we let E
K
: ¦0, 1¦
n
→ ¦0, 1¦
n
be the function deﬁned by E
K
(M) = E(K, M). For
any block cipher, and any key K, it is required that the function E
K
be a permutation on ¦0, 1¦
n
. This means
that it is a bijection (ie., a onetoone and onto function) of ¦0, 1¦
n
to ¦0, 1¦
n
. (For every C ∈ ¦0, 1¦
n
there
is exactly one M ∈ ¦0, 1¦
n
such that E
K
(M) = C.) Accordingly E
K
has an inverse, and we denote it E
−1
K
.
This function also maps ¦0, 1¦
n
to ¦0, 1¦
n
, and of course we have E
−1
K
(E
K
(M)) = M and E
K
(E
−1
K
(C)) = C
for all M, C ∈ ¦0, 1¦
n
. We let E
−1
: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
be deﬁned by E
−1
(K, C) = E
−1
K
(C). This is the
inverse block cipher to E.
The block cipher E is a public and fully speciﬁed algorithm. Both the cipher E and its inverse E
−1
should
be easily computable, meaning given K, M we can readily compute E(K, M), and given K, C we can readily
compute E
−1
(K, C). By “readily compute” we mean that there are public and relatively eﬃcient programs
available for these tasks.
48
Cryptography: Lecture Notes 49
function DES
K
(M) // K = 56 and M = 64
(K
1
, . . . , K
16
) ← KeySchedule(K) // K
i
 = 48 for 1 ≤ i ≤ 16
M ← IP(M)
Parse M as L
0
R
0
// L0 = R0 = 32
for r = 1 to 16 do
L
r
← R
r−1
; R
r
← f(K
r
, R
r−1
)⊕L
r−1
C ← IP
−1
(L
16
R
16
)
return C
Figure 4.1: The DES block cipher. The text and other ﬁgures describe the subroutines KeySchedule, f, IP, IP
−1
.
In typical usage, a random key K is chosen and kept secret between a pair of users. The function E
K
is then
used by the two parties to process data in some way before they send it to each other. Typically, we will assume
the adversary will be able to obtain some inputoutput examples for E
K
, meaning pairs of the form (M, C)
where C = E
K
(M). But, ordinarily, the adversary will not be shown the key K. Security relies on the secrecy
of the key. So, as a ﬁrst cut, you might think of the adversary’s goal as recovering the key K given some
inputoutput examples of E
K
. The block cipher should be designed to make this task computationally diﬃcult.
(Later we will reﬁne the view that the adversary’s goal is keyrecovery, seeing that security against keyrecovery
is a necessary but not suﬃcient condition for the security of a block cipher.)
We emphasize that we’ve said absolutely nothing about what properties a block cipher should have. A function
like E
K
(M) = M is a block cipher (the “identity block cipher”), but we shall not regard it as a “good” one.
How do real block ciphers work? Lets take a look at some of them to get a sense of this.
4.2 Data Encryption Standard (DES)
The Data Encryption Standard (DES) is the quintessential block cipher. Even though it is now quite old, and
on the way out, no discussion of block ciphers can really omit mention of this construction. DES is a remarkably
wellengineered algorithm which has had a powerful inﬂuence on cryptography. It is in very widespread use,
and probably will be for some years to come. Every time you use an ATM machine, you are using DES.
4.2.1 A brief history
In 1972 the NBS (National Bureau of Standards, now NIST, the National Institute of Standards and Technol
ogy) initiated a program for data protection and wanted as part of it an encryption algorithm that could be
standardized. They put out a request for such an algorithm. In 1974, IBM responded with a design based on
their “Lucifer” algorithm. This design would eventually evolve into the DES.
DES has a keylength of k = 56 bits and a blocklength of n = 64 bits. It consists of 16 rounds of what is called
a “Feistel network.” We will describe more details shortly.
After NBS, several other bodies adopted DES as a standard, including ANSI (the American National Standards
Institute) and the American Bankers Association.
The standard was to be reviewed every ﬁve years to see whether or not it should be readopted. Although there
were claims that it would not be recertiﬁed, the algorithm was recertiﬁed again and again. Only recently did
the work for ﬁnding a replacement begin in earnest, in the form of the AES (Advanced Encryption Standard)
eﬀort.
4.2.2 Construction
The DES algorithm is depicted in Figure 4.1. It takes input a 56bit key K and a 64 bit plaintext M. The
keyschedule KeySchedule produces from the 56bit key K a sequence of 16 subkeys, one for each of the rounds
50 Goldwasser and Bellare
IP IP
−1
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Figure 4.2: Tables describing the DES initial permutation IP and its inverse IP
−1
.
function f(J, R) // J = 48 and R = 32
R ← E(R) ; R ← R ⊕J
Parse R as R
1
R
2
R
3
R
4
R
5
R
6
R
7
R
8
// R
i
 = 6 for 1 ≤ i ≤ 8
for i = 1, . . . , 8 do
R
i
← S
i
(R
i
) // Each Sbox returns 4 bits
R ← R
1
R
2
R
3
R
4
R
5
R
6
R
7
R
8
// R = 32 bits
R ← P(R)
return R
Figure 4.3: The ffunction of DES. The text and other ﬁgures describe the subroutines used.
that follows. Each subkey is 48bits long. We postpone the discussion of the KeySchedule algorithm.
The initial permutation IP simply permutes the bits of M, as described by the table of Figure 4.2. The table
says that bit 1 of the output is bit 58 of the input; bit 2 of the output is bit 50 of the input; . . . ; bit 64 of the
output is bit 7 of the input. Note that the key is not involved in this permutation. The initial permutation does
not appear to aﬀect the cryptographic strength of the algorithm, and its purpose remains a bit of a mystery.
The permuted plaintext is now input to a loop, which operates on it in 16 rounds. Each round takes a 64bit
input, viewed as consisting of a 32bit left half and a 32bit right half, and, under the inﬂuence of the subkey
K
r
, produces a 64bit output. The input to round r is L
r−1
R
r−1
, and the output of round r is L
r
R
r
. Each
round is what is called a Feistel round, named after Horst Feistel, one the IBM designers of a precursor of DES.
Figure 4.1 shows how it works, meaning how L
r
R
r
is computed as a function of L
r−1
R
r−1
, by way of the
function f, the latter depending on the subkey K
r
associated to the rth round.
One of the reasons to use this round structure is that it is reversible, important to ensure that DES
K
is a
permutation for each key K, as it should be to qualify as a block cipher. Indeed, given L
r
R
r
(and K
r
) we can
recover L
r−1
R
r−1
via R
r−1
← L
r
and L
r−1
← f(K −r, L
r
)⊕R
r
.
Following the 16 rounds, the inverse of the permutation IP, also depicted in Figure 4.2, is applied to the 64bit
output of the 16th round, and the result of this is the output ciphertext.
A sequence of Feistel rounds is a common highlevel design for a block cipher. For a closer look we need to see
how the function f(, ) works. It is shown in Figure 4.3. It takes a 48bit subkey J and a 32bit input R to
return a 32bit output. The 32bit R is ﬁrst expanded into a 48bit via the function E described by the table
of Figure 4.4. This says that bit 1 of the output is bit 32 of the input; bit 2 of the output is bit 1 of the input;
. . . ; bit 48 of the output is bit 1 of the input.
Note the E function is quite structured. In fact barring that 1 and 32 have been swapped (see top left and
bottom right) it looks almost sequential. Why did they do this? Who knows. That’s the answer to most things
about DES.
Now the subkey J is XORed with the output of the E function to yield a 48bit result that we continue to
denote by R. This is split into 8 blocks, each 6bits long. To the ith block we apply the function S
i
called
the ith Sbox. Each Sbox is a function taking 6 bits and returning 4 bits. The result is that the 48bit R is
compressed to 32 bits. These 32 bits are permuted according to the P permutation described in the usual way
Cryptography: Lecture Notes 51
E P
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Figure 4.4: Tables describing the expansion function E and ﬁnal permutation P of the DES ffunction.
by the table of Figure 4.4, and the result is the output of the f function. Let us now discuss the Sboxes.
Each Sbox is described by a table as shown in Figure 4.5. Read these tables as follows. S
i
takes a 6bit input.
Write it as b
1
b
2
b
3
b
4
b
5
b
6
. Read b
3
b
4
b
5
b
6
as an integer in the range 0, . . . , 15, naming a column in the table
describing S
i
. Let b
1
b
2
name a row in the table describing S
i
. Take the row b
1
b
2
, column b
3
b
4
b
5
b
6
entry of the
table of S
i
to get an integer in the range 0, . . . , 15. The output of S
i
on input b
1
b
2
b
3
b
4
b
5
b
6
is the 4bit string
corresponding to this table entry.
The Sboxes are the heart of the algorithm, and much eﬀort was put into designing them to achieve various
security goals and resistance to certain attacks.
Finally, we discuss the key schedule. It is shown in Figure 4.6. Each round subkey K
r
is formed by taking
some 48 bits of K. Speciﬁcally, a permutation called PC1 is ﬁrst applied to the 56bit key to yield a permuted
version of it. This is then divided into two 28bit halves and denoted C
0
D
0
. The algorithm now goes through
16 rounds. The rth round takes input C
r−1
D
r−1
, computes C
r
D
r
, and applies a function PC2 that extracts
48 bits from this 56bit quantity. This is the subkey K
r
for the rth round. The computation of C
r
D
r
is quite
simple. The bits of C
r−1
are rotated to the left j positions to get C
r
, and D
r
is obtained similarly from D
r−1
,
where j is either 1 or 2, depending on r.
The functions PC1 and PC2 are tabulated in Figure 4.7. The ﬁrst table needs to be read in a strange way. It
contains 56 integers, these being all integers in the range 1, . . . , 64 barring multiples of 8. Given a 56bit string
K = K[1] . . . K[56] as input, the corresponding function returns the 56bit string L = L[1] . . . L[56] computed
as follows. Suppose 1 ≤ i ≤ 56, and let a be the ith entry of the table. Write a = 8q + r where 1 ≤ r ≤ 7.
Then let L[i] = K[a − q]. As an example, let us determine the ﬁrst bit, L[1], of the output of the function on
input K. We look at the ﬁrst entry in the table, which is 57. We divide it by 8 to get 57 = 8(7) + 1. So L[1]
equals K[57 − 7] = K[50], meaning the 1st bit of the output is the 50th bit of the input. On the other hand
PC2 is read in the usual way as a map taking a 56bit input to a 48 bit output: bit 1 of the output is bit 14
of the input; bit 2 of the output is bit 17 of the input; . . . ; bit 56 of the output is bit 32 of the input.
Well now you know how DES works. Of course, the main questions about the design are: why, why and why?
What motivated these design choices? We don’t know too much about this, although we can guess a little. And
one of the designers of DES, Don Coppersmith, has written a short paper which provides some information.
4.2.3 Speed
One of the design goals of DES was that it would have fast implementations relative to the technology of its
time. How fast can you compute DES? In roughly current technology (well, nothing is current by the time one
writes it down!) one can get well over 1 Gbit/sec on highend VLSI. Speciﬁcally at least 1.6 Gbits/sec, maybe
more. That’s pretty fast. Perhaps a more interesting ﬁgure is that one can implement each DES Sbox with at
most 50 twoinput gates, where the circuit has depth of only 3. Thus one can compute DES by a combinatorial
circuit of about 8 16 50 = 640 gates and depth of 3 16 = 48 gates.
In software, on a fairly modern processor, DES takes something like 80 cycles per byte. This is disappointingly
slow—not surprisingly, since DES was optimized for hardware and was designed before the days in which
software implementations were considered feasible or desirable.
52 Goldwasser and Bellare
S
1
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S
2
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
0 1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
1 0 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
1 1 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S
3
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
0 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
1 0 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 1 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S
4
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
0 1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
1 0 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
1 1 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S
5
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
0 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
1 0 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
1 1 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S
6
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
0 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
1 0 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
1 1 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S
7
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
0 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 0 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
1 1 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S
8
:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
0 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
1 0 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
1 1 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Figure 4.5: The DES Sboxes.
4.3 Key recovery attacks on block ciphers
Now that we know what a block cipher looks like, let us consider attacking one. This is called cryptanalysis of
the block cipher.
We ﬁx a block cipher E: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
having keysize k and block size n. It is assumed that the
attacker knows the description of E and can compute it. For concreteness, you can think of E as being DES.
Historically, cryptanalysis of block ciphers has focused on keyrecovery. The cryptanalyst may think of the
problem to be solved as something like this. A kbit key T, called the target key, is chosen at random. Let
q ≥ 0 be some integer parameter.
Given: The adversary has a sequence of q inputoutput examples of E
T
, say
(M
1
, C
1
), . . . , (M
q
, C
q
)
where C
i
= E
T
(M
i
) for i = 1, . . . , q and M
1
, . . . , M
q
are all distinct nbit strings.
Cryptography: Lecture Notes 53
Algorithm KeySchedule(K) // K = 56
K ← PC1(K)
Parse K as C
0
D
0
for r = 1, . . . , 16 do
if r ∈ ¦1, 2, 9, 16¦ then j ← 1 else j ← 2 ﬁ
C
r
← leftshift
j
(C
r−1
) ; D
r
← leftshift
j
(D
r−1
)
K
r
← PC2(C
r
D
r
)
return(K
1
, . . . , K
16
)
Figure 4.6: The key schedule of DES. Here leftshift
j
denotes the function that rotates its input to the left by j
positions.
PC1 PC2
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Figure 4.7: Tables describing the PC1 and PC2 functions used by the DES key schedule of Figure 4.6.
Find: The adversary wants to ﬁnd the target key T.
Let us say that a key K is consistent with the inputoutput examples (M
1
, C
1
), . . . , (M
q
, C
q
) if E
K
(M
i
) = C
i
for
all 1 ≤ i ≤ q. We let
Cons
E
((M
1
, C
1
), . . . , (M
q
, C
q
))
be the set of all keys consistent with the inputoutput examples (M
1
, C
1
), . . . , (M
q
, C
q
). Of course the target
key T is in this set. But the set might be larger, containing other keys. A keyrecovery attack cannot hope
to diﬀerentiate the target key from other members of the set Cons
E
((M
1
, C
1
), . . . , (M
q
, C
q
)). Thus, the goal is
sometimes viewed as simply being to ﬁnd some key in this set, or even the entire set. For practical block ciphers
though, if enough inputoutput examples are used, the size of this set is usually one, so that one can indeed ﬁnd
the target key. We will exemplify all this when we consider speciﬁc attacks.
Some typical kinds of “attack” that are considered within this framework:
Knownmessage attack: M
1
, . . . , M
q
are any distinct points; the adversary has no control over them, and
must work with whatever it gets.
Chosenmessage attack: M
1
, . . . , M
q
are chosen by the adversary, perhaps even adaptively. That is, imagine
it has access to an “oracle” for the function E
K
. It can feed the oracle M
1
and get back C
1
= E
K
(M
1
). It can
then decide on a value M
2
, feed the oracle this, and get back C
2
, and so on.
Clearly a chosenmessage attack gives the adversary much more power, but is also less realistic in practice.
The most obvious attack strategy is exhaustive key search. The adversary goes through all possible keys
K
t
∈ ¦0, 1¦
k
until it ﬁnds one that explains the inputoutput pairs. Here is the attack in detail, using q = 1,
meaning one inputoutput example. For i = 1, . . . , 2
k
let T
i
denote the ith kbit string (in lexicographic order).
EKS
E
(M
1
, C
1
)
for i = 1, . . . , 2
k
do
if E(T
i
, M
1
) = C
1
then return T
i
ﬁ
54 Goldwasser and Bellare
This attack always returns a key consistent with the given inputoutput example (M
1
, C
1
). Whether or not it
is the target key depends on the block cipher, and in particular on its key length and block length, and in some
cases the probability of this is too small. The likelihood of the attack returning the target key can be increased
by testing against more inputoutput examples:
EKS
E
((M
1
, C
1
), . . . , (M
q
, C
q
))
for i = 1, . . . , 2
k
do
if E(T
i
, M
1
) = C
1
then
if ( E(T
i
, M
2
) = C
2
AND AND E(T
i
, M
q
) = C
q
) then return T
i
ﬁ
A fairly small vaue of q, say somewhat more than k/n, is enough that this attack will usually return the target
key itself. For DES, q = 2 is enough.
Thus, no block cipher is perfectly secure. It is always possible for an attacker to recover the key. A good block
cipher, however, is designed to make this task computationally prohibitive.
How long does exhaustive keysearch take? Since q is small we can neglect the diﬀerence in running time between
the two versions of the attack above, and focus for simplicity on the ﬁrst attack. In the worst case, it uses 2
k
computations of the block cipher. However it could be less since one could get lucky. For example if the target
key is in the ﬁrst half of the search space, only 2
k−1
computations would be used. So a better measure is how
long it takes on the average. This is
2
k
¸
i=1
i Pr[K = T
i
] =
2
k
¸
i=1
i
2
k
=
1
2
k
2
k
¸
i=1
i =
1
2
k
2
k
(2
k
+ 1)
2
=
2
k
+ 1
2
≈ 2
k−1
computations of the block cipher. This is because the target key is chosen at random, so with probability 1/2
k
equals T
i
, and in that case the attack uses i Ecomputations to ﬁnd it.
Thus to make keyrecovery by exhaustive search computationally prohibitive, one must make the keylength k
of the block cipher large enough.
Let’s look at DES. We noted above that there is VLSI chip that can compute it at the rate of 1.6 Gbits/sec.
How long would keyrecovery via exhaustive search take using this chip? Since a DES plaintext is 64 bits, the
chip enables us to perform (1.6 10
9
)/64 = 2.5 10
7
DES computations per second. To perform 2
55
computations
(here k = 56) we thus need 2
55
/(2.5 10
7
) ≈ 1.44 10
9
seconds, which is about 45.7 years. This is clearly
prohibitive.
It turns out that that DES has a property called keycomplementation that one can exploit to reduce the size
of the search space by onehalf, so that the time to ﬁnd a key by exhaustive search comes down to 22.8 years.
But this is still prohibitive.
Yet, the conclusion that DES is secure against exhaustive key search is actually too hasty. We will return to
this later and see why.
Exhaustive key search is a generic attack in the sense that it works against any block cipher. It only involves
computing the block cipher and makes no attempt to analyze the cipher and ﬁnd and exploit weaknesses.
Cryptanalysts also need to ask themselves if there is some weakness in the structure of the block cipher they
can exploit to obtain an attack performing better than exhaustive key search.
For DES, the discovery of such attacks waited until 1990. Diﬀerential cryptanalysis is capable of ﬁnding a
DES key using about 2
47
inputoutput examples (that is, q = 2
47
) in a chosenmessage attack [33, 34]. Linear
cryptanalysis [140] improved diﬀerential in two ways. The number of inputoutput examples required is reduced
to 2
44
, and only a knownmessage attack is required. (An alternative version uses 2
42
chosen plaintexts [124].)
These were major breakthroughs in cryptanalysis that required careful analysis of the DES construction to ﬁnd
and exploit weaknesses. Yet, the practical impact of these attacks is small. Why? Ordinarily it would be
impossible to obtain 2
44
inputoutput examples. Furthermore, the storage requirement for these examples is
prohibitive. A single inputoutput pair, consisting of a 64bit plaintext and 64bit ciphertext, takes 16 bytes of
storage. When there are 2
44
such pairs, we need 16 2
44
= 2.81 10
14
bits, or about 281 terabytes of storage,
which is enormous.
Cryptography: Lecture Notes 55
Linear and diﬀerential cryptanalysis were however more devastating when applied to other ciphers, some of
which succumbed completely to the attack.
So what’s the best possible attack against DES? The answer is exhaustive key search. What we ignored above
is that the DES computations in this attack can be performed in parallel. In 1993, Weiner argued that one can
design a $1 million machine that does the exhaustive key search for DES in about 3.5 hours on the average [207].
His machine would have about 57,000 chips, each performing numerous DES computations. More recently, a
DES key search machine was actually built by the Electronic Frontier Foundation, at a cost of $250,000 [88]. It
ﬁnds the key in 56 hours, or about 2.5 days on the average. The builders say it will be cheaper to build more
machines now that this one is built.
Thus DES is feeling its age. Yet, it would be a mistake to take away from this discussion the impression that
DES is a weak algorithm. Rather, what the above says is that it is an impressively strong algorithm. After all
these years, the best practical attack known is still exhaustive key search. That says a lot for its design and its
designers.
Later we will see that we would like security properties from a block cipher that go beyond resistance to key
recovery attacks. It turns out that from that point of view, a limitation of DES is its block size. Birthday
attacks “break” DES with about q = 2
32
input output examples. (The meaning of “break” here is very diﬀerent
from above.) Here 2
32
is the square root of 2
64
, meaning to resist these attacks we must have bigger block size.
The next generation of ciphers—things like AES—took this into account.
4.4 IteratedDES and DESX
The emergence of the abovediscussed keysearch engines lead to the view that in practice DES should be
considered broken. Its shortcoming was its keylength of 56, not long enough to resist exhaustive key search.
People looked for cheap ways to strengthen DES, turning it, in some simple way, into a cipher with a larger key
length. One paradigm towards this end is iteration.
4.4.1 DoubleDES
Let K
1
, K
2
be 56bit DES keys and let M be a 64bit plaintext. Let
2DES(K
1
K
2
, M) = DES(K
2
, DES(K
1
, M)) .
This deﬁnes a block cipher 2DES: ¦0, 1¦
112
¦0, 1¦
64
→ ¦0, 1¦
64
that we call DoubleDES. It has a 112bit key,
viewed as consisting of two 56bit DES keys. Note that it is reversible, as required to be a block cipher:
2DES
−1
(K
1
K
2
, C) = DES
−1
(K
1
, DES
−1
(K
2
, C)) .
for any 64bit C.
The key length of 112 is large enough that there seems little danger of 2DES succumbing to an exhaustive key
search attack, even while exploiting the potential for parallelism and specialpurpose hardware. On the other
hand, 2DES also seems secure against the best known cryptanalytic techniques, namely diﬀerential and linear
cryptanalysis, since the iteration eﬀectively increases the number of Feistel rounds. This would indicate that
2DES is a good way to obtain a DESbased cipher more secure than DES itself.
However, although 2DES has a keylength of 112, it turns out that it can be broken using about 2
57
DES and
DES
−1
computations by what is called a meetinthemiddle attack, as we now illustrate. Let K
1
K
2
denote
the target key and let C
1
= 2DES(K
1
K
2
, M
1
). The attacker, given M
1
, C
1
, is attempting to ﬁnd K
1
K
2
. We
observe that
C
1
= DES(K
2
, DES(K
1
, M
1
)) ⇒ DES
−1
(K
2
, C
1
) = DES(K
1
, M
1
) .
This leads to the following attack. Below, for i = 1, . . . , 2
56
we let T
i
denote the ith 56bit string (in lexicographic
order):
56 Goldwasser and Bellare
MinM
2DES
(M
1
, C
1
)
for i = 1, . . . , 2
56
do L[i] ← DES(T
i
, M
1
)
for j = 1, . . . , 2
56
do R[j] ← DES
−1
(T
j
, C
1
)
S ← ¦ (i, j) : L[i] = R[j] ¦
Pick some (l, r) ∈ S and return T
l
T
r
For any (i, j) ∈ S we have
DES(T
i
, M
1
) = L[i] = R[j] = DES
−1
(T
j
, C
1
)
and as a consequence DES(T
j
, DES(T
i
, M
1
)) = C
1
. So the key T
i
T
j
is consistent with the inputoutput example
(M
1
, C
1
). Thus,
¦ T
l
T
r
: (l, r) ∈ S ¦ = Cons
E
((M
1
, C
1
)) .
The attack picks some pair (l, r) from S and outputs T
l
T
r
, thus returning a key consistent with the inputoutput
example (M
1
, C
1
).
The set S above is likely to be quite large, of size about 2
56+56
/2
64
= 2
48
, meaning the attack as written is not
likely to return the target key itself. However, by using a few more inputoutput examples, it is easy to whittle
down the choices in the set S until it is likely that only the target key remains.
The attack makes 2
56
+ 2
56
= 2
57
DES or DES
−1
computations. The step of forming the set S can be
implemented in linear time in the size of the arrays involved, say using hashing. (A naive strategy takes time
quadratic in the size of the arrays.) Thus the running time is dominated by the DES, DES
−1
computations.
The meetinthemiddle attack shows that 2DES is quite far from the ideal of a cipher where the best attack
is exhaustive key search. However, this attack is not particularly practical, even if special purpose machines
are designed to implement it. The machines could do the DES, DES
−1
computations quickly in parallel, but to
form the set S the attack needs to store the arrays L, R, each of which has 2
56
entries, each entry being 64 bits.
The amount of storage required is 8 2
57
≈ 1.15 10
18
bytes, or about 1.15 10
6
terabytes, which is so large that
implementing the attack is impractical.
There are some strategies that modify the attack to reduce the storage overhead at the cost of some added time,
but still the attack does not appear to be practical.
Since a 112bit 2DES key can be found using 2
57
DES or DES
−1
computations, we sometimes say that 2DES
has an eﬀective key length of 57.
4.4.2 TripleDES
The tripleDES ciphers use three iterations of DES or DES
−1
. The threekey variant is deﬁned by
3DES3(K
1
K
2
K
3
, M) = DES(K
3
, DES
−1
(K
2
, DES(K
1
, M)) ,
so that 3DES3: ¦0, 1¦
168
¦0, 1¦
64
→ ¦0, 1¦
64
. The twokey variant is deﬁned by
3DES2(K
1
K
2
, M) = DES(K
2
, DES
−1
(K
1
, DES(K
2
, M)) ,
so that 3DES2: ¦0, 1¦
112
¦0, 1¦
64
→ ¦0, 1¦
64
. You should check that these functions are reversible so that they
do qualify as block ciphers. The term “triple” refers to there being three applications of DES or DES
−1
. The
rationale for the middle application being DES
−1
rather than DES is that DES is easily recovered via
DES(K, M) = 3DES3(KKK, M) (4.1)
DES(K, M) = 3DES2(KK, M) . (4.2)
As with 2DES, the key length of these ciphers appears long enough to make exhaustive key search prohibitive,
even with the best possible engines, and, additionally, diﬀerential and linear cryptanalysis are not particularly
eﬀective because iteration eﬀectively increases the number of Feistel rounds.
3DES3 is subject to a meetinthemiddle attack that ﬁnds the 168bit key using about 2
112
computations of
DES or DES
−1
, so that it has an eﬀective key length of 112. There does not appear to be a meetinthemiddle
attack on 3DES2 however, so that its key length of 112 is also its eﬀective key length.
Cryptography: Lecture Notes 57
The 3DES2 cipher is popular in practice and functions as a canonical and standard replacement for DES. 2DES,
although having the same eﬀective key length as 3DES2 and oﬀering what appears to be the same or at least
adequate security, is not popular in practice. It is not entirely apparent why 3DES2 is preferred over 2DES, but
the reason might be Equation (4.2).
4.4.3 DESX
Although 2DES, 3DES3 and 3DES2 appear to provide adequate security, they are slow. The ﬁrst is twice as slow
as DES and the other two are three times as slow. It would be nice to have a DES based block cipher that had
a longer key than DES but was not signiﬁcantly more costly. Interestingly, there is a simple design that does
just this. Let K be a 56bit DES key, let K
1
, K
2
be 64bit strings, and let M be a 64bit plaintext. Let
DESX(KK
1
K
2
, M) = K
2
⊕DES(K, K
1
⊕M) .
This deﬁnes a block cipher DESX: ¦0, 1¦
184
¦0, 1¦
64
→ ¦0, 1¦
64
. It has a 184bit key, viewed as consisting of
a 56bit DES key plus two auxiliary keys, each 64 bits long. Note that it is reversible, as required to be a block
cipher:
DESX
−1
(KK
1
K
2
, C) = K
1
⊕DES
−1
(K, K
2
⊕C) .
The key length of 184 is certainly enough to preclude exhaustive key search attacks. DESX is no more secure
than DES against linear of diﬀerential cryptanalysis, but we already saw that these are not really practical
attacks.
There is a meetinthemiddle attack on DESX. It ﬁnds a 184bit DESX key using 2
120
DES and DES
−1
computations. So the eﬀective key length of DESX seems to be 120, which is large enough for security.
DESX is less secure than Double or Triple DES because the latter are more more resistant than DES to linear
and diﬀerential cryptanalysis while DESX is only as good as DES itself in this regard. However, this is good
enough; we saw that in practice the weakness of DES was not these attacks but rather the short key length
leading to successful exhaustive search attacks. DESX ﬁxes this, and very cheaply. In summary, DESX is popular
because it is much cheaper than Double of Triple DES while providing adequate security.
4.4.4 Why a new cipher?
DESX is arguably a ﬁne cipher. Nonetheless, there were important reasons to ﬁnd and standardize a new cipher.
We will in Section 5.8 that the security provided by a block cipher depends not only on its key length and
resistance to keysearch attacks but on its block length. A block cipher with block length n can be “broken” in
time around 2
n/2
. When n = 64, this is 2
32
, which is quite small. Although 2DES, 3DES3, 3DES2, DESX have a
higher (eﬀective) key length than DES, they preserve its block size and thus are no more secure than DES from
this point of view. It was seen as important to have a block cipher with a block length n large enough that a
2
n/2
time attack was not practical. This was one motivation for a new cipher.
Perhaps the larger motivation was speed. Desired was a block cipher that ran faster than DES in software.
4.5 Advanced Encryption Standard (AES)
In 1998 the National Institute of Standards and Technology (NIST/USA) announced a “competition” for a new
block cipher. The new block cipher would, in time, replace DES. The relatively short key length of DES was
the main problem that motivated the eﬀort: with the advances in computing power, a key space of 2
56
keys was
just too small. With the development of a new algorithm one could also take the opportunity to address the
modest software speed of DES, making something substantially faster, and to increase the block size from 64
to 128 bits (the choice of 64 bits for the block size can lead to security diﬃculties, as we shall later see. Unlike
the design of DES, the new algorithm would be designed in the open and by the public.
Fifteen algorithms were submitted to NIST. They came from around the world. A second round narrowed the
choice to ﬁve of these algorithms. In the summer of 2001 NIST announced their choice: an algorithm called
58 Goldwasser and Bellare
function AES
K
(M)
(K
0
, . . . , K
10
) ← expand(K)
s ← M⊕K
0
for r = 1 to 10 do
s ← S(s)
s ← shiftrows(s)
if r ≤ 9 then s ← mixcols(s) ﬁ
s ← s⊕K
r
endfor
return s
Figure 4.8: The function AES128. See the accompanying text and ﬁgures for deﬁnitions of the maps expand,
S, shiftrows, mixcols.
Rijndael. The algorithm should be embodied in a NIST FIPS (Federal Information Processing Standard) any
day now; right now, there is a draft FIPS. Rijndael was designed by Joan Daemen and Vincent Rijmen (from
which the algorithm gets its name), both from Belgium. It is descendent of an algorithm called Square.
In this section we shall describe AES.
A word about notation. Purists would prefer to reserve the term “AES” to refer to the standard, using the
word “Rijndael” or the phrase “the AES algorithm” to refer to the algorithm itself. (The same naming pundits
would have us use the acronym DEA, Data Encryption Algorithm, to refer to the algorithm of the DES, the
Data Encryption Standard.) We choose to follow common convention and refer to both the standard and
the algorithm as AES. Such an abuse of terminology never seems to lead to any misunderstandings. (Strictly
speaking, AES is a special case of Rijndael. The latter includes more options for block lengths than AES does.)
The AES has a block length of n = 128 bits, and a key length k that is variable: it may be 128, 192 or 256
bits. So the standard actually speciﬁes three diﬀerent block ciphers: AES128, AES192, AES256. These three
block ciphers are all very similar, so we will stick to describing just one of them, AES128. For simplicity, in the
remainder of this section, AES means the algorithm AES128. We’ll write C = AES
K
(M) where [K[ = 128 and
[M[ = [C[ = 128.
We’re going to describe AES in terms of four additional mappings: expand, S, shiftrows, and mixcols. The
function expand takes a 128bit string and produces a vector of eleven keys, (K
0
, . . . , K
10
). The remaining
three functions bijectively map 128bits to 128bits. Actually, we’ll be more general for S, letting git be a map
on ((¦0, 1¦)
8
)
+
. Let’s postpone describing all of these maps and start oﬀ with the highlevel structure of AES,
which is given in Figure 4.8.
Refer to Figure 4.8. The value s is called the state. One initizlizes the state to M and the ﬁnal state is the
ciphertext C one gets by enciphering M. What happens in each iteration of the for loop is called a round.
So AES consists of ten rounds. The rounds are identical except that each uses a diﬀerent subkey K
i
and, also,
round 10 omits the call to mixcols.
To understand what goes on in S and mixcols we will need to review a bit of algebra. Let us make a pause
to do that. We describe a way to do arithmetic on bytes. Identify each byte a = a
7
a
6
a
5
a
4
a
3
a
2
a
1
a
0
with the
formal polynomial a
7
x
7
+a
6
x
6
+a +5x
5
+a
4
x
4
+a
3
x
3
+a
2
x
2
+a
1
x +a
0
. We can add two bytes by taking their
bitwise xor (which is the same as the mod2 sum the corresponding polynomials). We can multiply two bytes
to get a degree 14 (or less) polynomial, and then take the remainder of this polynomial by the ﬁxed irreducible
polynomial
m(x) = x
8
+ x
4
+ x
3
+ x + 1 .
This remainder polynomial is a polynomial of degree at most seven which, as before, can be regarded as a byte.
In this way, we can add and multiply any two bytes. The resulting algebraic structure has all the properties
necessary to be called a ﬁnite ﬁeld. In particular, this is one representation of the ﬁnite ﬁeld known as GF(2
8
)—
the Galois ﬁeld on 2
8
= 256 points. As a ﬁnite ﬁeld, you can ﬁnd the inverse of any nonzero ﬁeld point (the
Cryptography: Lecture Notes 59
63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ﬀ f3 d2
cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Figure 4.9: The AES Sbox, which is a function S : ¦0, 1¦
8
→ ¦0, 1¦
8
speciﬁed by the following list. All values
in hexadecimal. The meaning is: S(00) = 63, S(01) = 7c, . . ., S(ﬀ) = 16.
zeroelement is the zero byte) and you can distribute addition over multiplication, for example.
There are some useful tricks when you want to multiply two bytes. Since m(x) is another name for zero,
x
8
= x
4
+ x
3
+ x + 1 = ¦1b¦. (Here the curly brackets simply indicate a hexadecimal number.) So it is easy to
multiply a byte a by the byte x = ¦02¦: namely, shift the 8bit byte a one position to the left, letting the ﬁrst
bit “fall oﬀ” (but remember it!) and shifting a zero into the last bit position. We write this operation ''' 1. If
that ﬁrst bit of a was a 0, we are done. If the ﬁrst bit was a 1, we need to add in (that is, xor in) x
8
= ¦1b¦.
In summary, for a a byte, a x = a ¦02¦ is a ''' 1 if the ﬁrst bit of a is 0, and it is (a ''' 1)⊕¦1b¦ if the ﬁrst
bit of a is 1.
Knowing how to multiply by x = ¦02¦ let’s you conveniently multiply by other quantities. For example, to
compute ¦a1¦ ¦03¦ compute ¦a1¦ (¦02¦⊕¦01¦) = ¦a1¦ ¦02¦⊕¦a1¦ ¦01¦ = ¦42¦⊕¦1b¦⊕a1 = ¦f8¦. Try
some more examples on your own.
As we said, each nonzero byte a has a multiplicative inverse, inv(a) = a
−1
, The mapping we will denote
S : ¦0, 1¦
8
→ ¦0, 1¦
8
is obtained from the map inv : a → a
−1
. First, patch this map to make it total on
¦0, 1¦
8
by setting inv(¦00¦) = ¦00¦. Then, to compute S(a), ﬁrst replace a by inv(a), number the bits of a by
a = a
7
a
6
a
5
a
4
a
3
a
2
a
1
a
0
, and return the value a
t
, where a
t
= a
t
7
a
t
6
a
t
5
a
t
4
a
t
3
a
t
2
a
t
1
a
t
0
where
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
a
t
7
a
t
6
a
t
5
a
t
4
a
t
3
a
t
2
a
t
1
a
t
0
¸
=
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
a
7
a
6
a
5
a
4
a
3
a
2
a
1
a
0
¸
+
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
¸
1
1
0
0
0
1
1
0
¸
All arithmetic is in GF(2), meaning that addition of bits is their xor and multiplication of bits is the conjunction
(and).
All together, the map S is give by Figure 4.9, which lists the values of
S(0), S(1), . . . , S(255) .
In fact, one could forget how this table is produced, and just take it for granted. But the fact is that it is made
in the simple way we have said.
Now that we have the function S, let us extend it (without bothering to change the name) to a function with
domain ¦¦0, 1¦
8
¦
+
. Namely, given an mbyte string A = A[1] . . . A[m], set S(A) to be S(A[1]) . . . S(A[m]). In
other words, just apply S bytewise.
60 Goldwasser and Bellare
function expand(K)
K
0
← K
for i ← 1 to 10 do
K
i
[0] ← K
i−1
[0]⊕S(K
i−1
[3] ''' 8)⊕C
i
K
i
[1] ← K
i−1
[1]⊕K
i
[0]
K
i
[2] ← K
i−1
[2]⊕K
i
[1]
K
i
[3] ← K
i−1
[3]⊕K
i
[2]
od
return (K
0
, . . . , K
10
)
Figure 4.10: The AES128 keyexpansion algorithm maps a 128bit key K into eleven 128bit subkeys,
K
0
, . . . , K
10
. Constants (C
1
, . . . , C
10
) are (¦02000000¦, ¦04000000¦, ¦08000000¦, ¦10000000¦, ¦20000000¦,
¦40000000¦, ¦80000000¦, ¦1B000000¦, ¦36000000¦, ¦6C000000¦). All other notation is described in the accom
panying text.
Now we’re ready to understand the ﬁrst map, S(s). One takes the 16byte state s and applies the 8bit lookup
table to each of its bytes to get the modiﬁed state s.
Moving on, the shiftrows operation works like this. Imagine plastering the 16 bytes of s = s
0
s
1
. . . s
15
going
toptobottom, then lefttoright, to make a 4 4 table:
s
0
s
4
s
8
s
12
s
1
s
5
s
9
s
13
s
2
s
6
s
10
s
14
s
3
s
7
s
11
s
15
For the shiftrows step, left circularly shift the second row by one position; the third row by two positions; and
the the fourth row by three positions. The ﬁrst row is not shifted at all. Somewhat less colorfully, the mapping
is simply
shiftrows(s
0
s
1
s
2
s
15
) = s
0
s
5
s
10
s
15
s
4
s
9
s
14
s
3
s
8
s
13
s
2
s
7
s
12
s
1
s
6
s
11
Using the same convention as before, the mixcols step takes each of the four columns in the 4 4 table and
applies the (same) transformation to it. Thus we deﬁne mixcols(s) on 4byte words, and then extend this to a
16byte quantity wordwise. The value of mixcols(a
0
a
1
a
2
a
3
) = a
t
0
a
t
1
a
t
2
a
t
3
is deﬁned by:
¸
¸
¸
a
t
0
a
t
1
a
t
2
a
t
3
¸
=
¸
¸
¸
02 03 01 01
01 02 03 01
01 02 02 03
03 01 01 02
¸
¸
¸
¸
a
0
a
1
a
2
a
3
¸
An equivalent way to explain this step is to say that we are multiplying a(x) = a
3
x
3
+a
2
x
2
+a
1
x
1
+a
0
by the
ﬁxed polynomial c(x) = ¦03¦x
3
+¦01¦x
2
+¦01¦x +¦02¦ and taking the result modulo x
4
+ 1.
At this point we have described everything but the keyexpansion map, expand. That map is given in Figure 4.10.
We have now completed the deﬁnition of AES. One key property is that AES is a block cipher: the map is
invertible. This follows because every round is invertible. That a round is invertible follows from each of its
steps being invertible, which is a consequence of S being a permutation and the matrix used in mixcols having
an inverse .
In the case of DES, the rationale for the design were not made public. Some explanation for diﬀerent aspects of
the design have become more apparent over time as we have watched the eﬀects on DES of new attack strategies,
but fundamentally, the question of why the design is as it is has not received a satisfying cipher. In the case of
AES there was signiﬁcantly more documentation of the rationale for design choices. (See the book The design
of Rijndael by the designers [66]).
Cryptography: Lecture Notes 61
Nonetheless, the security of block ciphers, including DES and AES, eventually comes down to the statement
that “we have been unable to ﬁnd eﬀective attacks, and we have tried attacks along the following lines . . ..” If
people with enough smarts and experience utter this statement, then it suggests that the block cipher is good.
Beyond this, it’s hard to say much. Yet, by now, our community has become reasonably experienced designing
these things. It wouldn’t even be that hard a game were it not for the fact we tend to be agressive in optimizing
the blockcipher’s speed. (Some may come to the opposite opinion, that it’s a very hard game, seeing just
how many reasonablelooking block ciphers have been broken.) Later we give some vague sense of the sort of
cleverness that people muster against block ciphers.
4.6 Limitations of keyrecovery based security
As discussed above, classically, the security of block ciphers has been looked at with regard to key recovery.
That is, analysis of a block cipher E has focused primarily on the following question: given some number q
of inputoutput examples (M
1
, C
1
), . . . , (M
q
, C
q
), where T is a random, unknown key and C
i
= E
T
(M
i
), how
hard is it for an attacker to ﬁnd T? A block cipher is viewed as “secure” if the best keyrecovery attack is
computationally infeasible, meaning requires a value of q or a running time t that is too large to make the attack
practical. In the sequel, we refer to this as security against keyrecovery.
However, as a notion of security, security against keyrecovery is quite limited. A good notion should be
suﬃciently strong to be useful. This means that if a block cipher is secure, then it should be possible to use
the block cipher to make worthwhile constructions and be able to have some guarantee of the security of these
constructions. But even a cursory glance at common block cipher usages shows that good security in the sense
of key recovery is not suﬃcient for security of the usages of block ciphers.
As an example, consider that we typically want to think of C = E
K
(M) as an “encryption” of plaintext M
under key K. An adversary in possession of C but not knowing K should ﬁnd it computationally infeasible to
recover M, or even some part of M such as its ﬁrst half. Security against keyrecovery is certainly necessary
for this, because if the adversary could ﬁnd K it could certainly compute M, via M = E
−1
K
(M). But security
against keyrecovery is not suﬃcient to ensure that M cannot be recovered given K alone. As an example,
consider the block cipher E: ¦0, 1¦
128
¦0, 1¦
256
→ ¦0, 1¦
256
deﬁned by E
K
(M) = AES
K
(M[1])M[2] where
M[1] is the ﬁrst 128 bits of M and M[2] is the last 128 bits of M. Key recovery is as hard as for AES, but a
ciphertext reveals the second half of the plaintext.
This might seem like an artiﬁcial example. Many people, on seeing this, respond by saying: “But, clearly, DES
and AES are not designed like this.” True. But that is missing the point. The point is that security against
keyrecovery alone does not make a “good” block cipher.
But then what does make a good block cipher? This questions turns out to not be so easy to answer. Certainly
one can list various desirable properties. For example, the ciphertext should not reveal half the bits of the
plaintext. But that is not enough either. As we see more usages of ciphers, we build up a longer and longer
list of security properties SP1, SP2, SP3, . . . that are necessary for the security of some block cipher based
application.
Such a long list of necessary but not suﬃcient properties is no way to treat security. What we need is one
single “MASTER” property of a block cipher which, if met, guarantees security of lots of natural usages of
the cipher.
Such a property is that the block cipher be a pseudorandom permutation (PRF), a notion explored in another
chapter.
4.7 Problems
Problem 4.1 Show that for all K ∈ ¦0, 1¦
56
and all x ∈ ¦0, 1¦
64
DES
K
(x) = DES
K
(x) .
This is called the keycomplementation property of DES.
62 Goldwasser and Bellare
Problem 4.2 Explain how to use the keycomplementation property of DES to speed up exhaustive key search
by about a factor of two. Explain any assumptions that you make.
Problem 4.3 Find a key K such that DES
K
() = DES
−1
K
(). Such a key is sometimes called a “weak” key.
Problem 4.4 As with AES, suppose we are working in the ﬁnite ﬁeld with 2
8
elements, representing ﬁeld
points using the irreducible polynomial m(x) = x
8
+ x
4
+ x
3
+ x + 1. Compute the byte that is the result of
multiplying bytes:
¦e1¦ ¦05¦
Problem 4.5 For AES, we have given two diﬀerent descriptions of mixcols: one using matric multiplication
(in GF(2
8
)) and one based on multiplying by a ﬁxed polynomial c(x) modulo a second ﬁxed polynomial,
d(x) = x
4
+ 1. Show that these two methods are equivalent.
Problem 4.6 Verify that the matrix used for mixcols has as its inverse the matrix
¸
¸
¸
0e 0b 0d 09
09 0e 0b 0d
0d 09 0e 0b
0b 0d 09 0e
¸
Explain why all entries in this matrix begin with a zerobyte.
Problem 4.7 How many diﬀerent permutations are there from 128 bits to 128 bits? How man diﬀerent
functions are then from 128 bits to 128 bits?
Problem 4.8 Upper and lower bound, as best you can, the probability that a random function from 128 bits
to 128 bits is actually a permutation.
Problem 4.9 Without consulting any of the numerous publicdomain implementations available, implement
AES, on your own, from the spec or from the description provided by this chapter. Then test your implemen
tation according to the test vectors provided in the AES documentation.
Problem 4.10 Justify and then refute (both) the following proposition: enciphering under AES can be imple
mented faster than deciphering.
C h a p t e r 5
Pseudorandom functions
Pseudorandom functions (PRFs) and their cousins, pseudorandom permutations (PRPs), ﬁgure as central tools
in the design of protocols, especially those for sharedkey cryptography. At one level, PRFs and PRPs can be
used to model block ciphers, and they thereby enable the security analysis of protocols based on block ciphers.
But PRFs and PRPs are also a useful conceptual starting point in contexts where block ciphers don’t quite ﬁt
the bill because of their ﬁxed blocklength. So in this chapter we will introduce PRFs and PRPs and investigate
their basic properties.
5.1 Function families
A function family is a map F: / D → R. Here / is the set of keys of F and D is the domain of F and R
is the range of F. The set of keys and the range are ﬁnite, and all of the sets are nonempty. The twoinput
function F takes a key K and an input X to return a point Y we denote by F(K, X). For any key K ∈ / we
deﬁne the map F
K
: D → R by F
K
(X) = F(K, Y ). We call the function F
K
an instance of function family F.
Thus F speciﬁes a collection of maps, one for each key. That’s why we call F a function family or family of
functions.
Sometimes we write Keys(F) for /, Dom(F) for D, and Range(F) for R.
Usually / = ¦0, 1¦
k
for some integer k, the key length. Often D = ¦0, 1¦
for some integer called the input
length, and R = ¦0, 1¦
L
for some integers L called the output length. But sometimes the domain or range could
be sets containing strings of varying lengths.
There is some probability distribution on the (ﬁnite) set of keys /. Unless otherwise indicated, this distribution
will be the uniform one. We denote by K
$
← / the operation of selecting a random string from / and naming
it K. We denote by f
$
← F the operation: K
$
← /; f ← F
K
. In other words, let f be the function F
K
where K
is a randomly chosen key. We are interested in the inputoutput behavior of this randomly chosen instance of
the family.
A permutation is a bijection (i.e. a onetoone onto map) whose domain and range are the same set. That is, a
map π: D → D is a permutation if for every y ∈ D there is exactly one x ∈ D such that π(x) = y. We say that
F is a family of permutations if Dom(F) = Range(F) and each F
K
is a permutation on this common set.
Example 5.1 A block cipher is a family of permutations. In particular DES is a family of permutations
DES: / D → R with
/ = ¦0, 1¦
56
and D = ¦0, 1¦
64
and R = ¦0, 1¦
64
.
Here the key length is k = 56 and the input length and output length are = L = 64. Similarly AES (when
63
64 Goldwasser and Bellare
“AES” refers to “AES128”) is a family of permutations AES: / D → R with
/ = ¦0, 1¦
128
and D = ¦0, 1¦
128
and R = ¦0, 1¦
128
.
Here the key length is k = 128 and the input length and output length are = L = 128.
5.2 Random functions and permutations
Let D, R ⊆ ¦0, 1¦
∗
be ﬁnite nonempty sets and let , L ≥ 1 be integers. There are two particular function families
that we will often consider. One is Func(D,R), the family of all functions of D to R. The other is Perm(D), the
family of all permutations on D. For compactness of notation we let Func(,L), Func(), and Perm() denote
Func(D,R), Func(D,D), and Perm(D), respectively, where D = ¦0, 1¦
and R = ¦0, 1¦
L
. A randomly chosen
instance of Func(D,R) will be a random function from D to R, and a randomly chosen instance of Perm(D) will
be a random permutation on D. Let us now look more closely at these families in turn.
5.2.1 Random functions
The family Func(D,R) has domain D and range R. The set of instances of Func(D,R) is the set of all functions
mapping D to R. The key describing any particular instance function is simply a description of this instance
function in some canonical notation. For example, order the domain D lexicographically as X
1
, X
2
, . . ., and
then let the key for a function f be the list of values (f(X
1
), f(X
2
), . . .). The keyspace of Func(D,R) is simply
the set of all these keys, under the uniform distribution.
Let us illustrate in more detail for the case of Func(,L). The key for a function in this family is simply a list
of of all the output values of the function as its input ranges over ¦0, 1¦
. Thus
Keys(Func(,L)) = ¦ (Y
1
, . . . , Y
2
) : Y
1
, . . . , Y
2
∈ ¦0, 1¦
L
¦
is the set of all sequences of length 2
in which each entry of a sequence is an Lbit string. For any x ∈ ¦0, 1¦
we interpret X as an integer in the range ¦1, . . . , 2
¦ and set
Func(,L)((Y
1
, . . . , Y
2
), X) = Y
X
.
Notice that the key space is very large; it has size 2
L2
. There is a key for every function of bits to Lbits,
and this is the number of such functions. The key space is equipped with the uniform distribution, so that
f
$
← Func(,L) is the operation of picking a random function of bits to Lbits.
Example 5.2 We exemplify Func(3,2), meaning = 3 and L = 2. The domain is ¦0, 1¦
3
and the range is
¦0, 1¦
2
. An example instance f of the family is illustrated below via its inputoutput table:
x 000 001 010 011 100 101 110 111
f(x) 10 11 01 11 10 00 00 10
The key corresponding to this particular function is
(10, 11, 01, 11, 10, 00, 00, 10) .
The keyspace of Func(3,2) is the set of all such sequences, meaning the set of all 8tuples each component of
which is a two bit string. There are
2
22
3
= 2
16
= 65, 536
such tuples, so this is the size of the keyspace.
We will hardly ever actually think about these families in terms of this formalism. It is worth pausing here to
see how to think about them more intuitively, because they are important objects.
Cryptography: Lecture Notes 65
We will consider settings in which you have blackbox access to a function g. This means that there is a box to
which you can give any value X of your choice (provided X is in the domain of g), and the box gives you back
g(X). But you can’t “look inside” the box; your only interface to it is the one we have speciﬁed.
A random function g: D → R (where R is a ﬁnite set) being placed in this box corresponds to the following.
Each time you give the box an input, you get back a random element of R, with the sole constraint that if you
twice give the box the same input X, it will be consistent, returning both times the same output g(X).
The dynamic view of a random function can be thought of as implemented by the following computer program.
The program maintains the function in the form of a table T where T[X] holds the value of the function at X.
Initially, the table is empty. The program processes an input X ∈ D as follows:
if T[X] is not deﬁned
then Y
$
← R ; T[X] ← Y
ﬁ
return T[X]
The answer on any point is random and independent of the answers on other points. It is this “dynamic” view
that we suggest the reader have in mind when thinking about random functions or random permutations.
One must remember that the term “random function” is misleading. It might lead one to think that certain
functions are “random” and others are not. (For example, maybe the constant function that always returns 0
L
on any input is not random, but a function with many diﬀerent range values is random.) This is not right. The
randomness of the function refers to the way it was chosen, not to an attribute of the selected function itself.
When you choose a function at random, the constant function is just as likely to appear as any other function.
It makes no sense to talk of the randomness of an individual function; the term “random function” just means
a function chosen at random.
Example 5.3 Let’s do some simple probabilistic computations to understand random functions. In all of the
following, the probability is taken over a random choice of f from Func(,L), meaning that we have executed
the operation f
$
← Func(,L).
(1) Fix X ∈ ¦0, 1¦
and Y ∈ ¦0, 1¦
L
. Then:
Pr [f(X) = Y ] = 2
−L
.
Notice that the probability doesn’t depend on . Nor does it depend on the values of X, Y .
(2) Fix X
1
, X
2
∈ ¦0, 1¦
and Y
1
, Y
2
∈ ¦0, 1¦
L
, and assume X
1
= X
2
. Then
Pr [f(X
1
) = Y
1
[ f(X
2
) = Y
2
] = 2
−L
.
The above is a conditional probability, and says that even if we know the value of f on X
1
, its value on a
diﬀerent point X
2
is equally likely to be any Lbit string.
(3) Fix X
1
, X
2
∈ ¦0, 1¦
and Y ∈ ¦0, 1¦
L
. Then:
Pr [f(X
1
) = Y and f(X
2
) = Y ] =
2
−2L
if X
1
= X
2
2
−L
if X
1
= X
2
(4) Fix X
1
, X
2
∈ ¦0, 1¦
and Y ∈ ¦0, 1¦
L
. Then:
Pr [f(X
1
) ⊕f(X
2
) = Y ] =
2
−L
if X
1
= X
2
0 if X
1
= X
2
and Y = 0
L
1 if X
1
= X
2
and Y = 0
L
(5) Suppose l ≤ L and let τ: ¦0, 1¦
L
→ ¦0, 1¦
l
denote the function that on input Y ∈ ¦0, 1¦
L
returns the ﬁrst
l bits of Y . Fix distinct X
1
, X
2
∈ ¦0, 1¦
, Y
1
∈ ¦0, 1¦
L
and Z
2
∈ ¦0, 1¦
l
. Then:
Pr [τ(f(X
2
)) = Z
2
[ f(X
1
) = Y
1
] = 2
−l
.
66 Goldwasser and Bellare
5.2.2 Random permutations
The family Perm(D) has domain and range D. The set of instances of Perm(D) is the set of all permutations
on D. The key describing a particular instance is some description of the function. Again, let us illustrate with
Perm(). In this case
Keys(Perm()) = ¦(Y
1
, . . . , Y
2
) : Y
1
, . . . , Y
2
∈ ¦0, 1¦
and
Y
1
, . . . , Y
2
are all distinct¦ .
For any X ∈ ¦0, 1¦
we interpret X as an integer in the range ¦1, . . . , 2
¦ and set
Perm()((Y
1
, . . . , Y
2
), X) = Y
X
.
The key space is again equipped with the uniform distribution, so that π
$
← Perm(l) is the operation of picking
a random permutation on ¦0, 1¦
. In other words, all the possible permutations on ¦0, 1¦
are equally likely.
Example 5.4 We exemplify Perm(3), meaning = 3. The domain and range are both ¦0, 1¦
3
. An example
instance π of the family is illustrated below via its inputoutput table:
x 000 001 010 011 100 101 110 111
π(x) 010 111 101 011 110 100 000 001
The function π is a permutation because each 3bit string occurs exactly once in the second row of the table.
The key corresponding to this particular permutation is
(010, 111, 101, 011, 110, 100, 000, 001) .
The keyspace of Perm(3) is the set of all such sequences, meaning the set of all 8tuples whose components
consist of all 3bit strings in some order. There are
8! = 40, 320
such tuples, so this is the size of the keyspace.
In the dynamic view, we again want to consider having blackbox access to a permutation π. A random
permutation π: D → D (where D is a ﬁnite set) being placed in this box corresponds to the following. If you
give the box an input X ∈ D, it returns the same answer as before if X has already been queried, but, if not,
it returns a point chosen at random from D−S where S is the set of all values previously returned by the box
in response to queries diﬀerent from X.
The dynamic view of a random permutation can be thought of as implemented by the following computer
program. The program maintains the function in the form of a table T where T[X] holds the value of the
function at X. Initially, the table is empty, and the set S below is also empty. The program processes an input
X ∈ D as follows:
if T[X] is not deﬁned
then Y
$
← D −S ; T[X] ← Y ; S ← S ∪ ¦T[X]¦
ﬁ
return T[X]
The answer on any point is random, but not independent of the answers on other points, since it is distinct
from those.
Example 5.5 Random permutations are somewhat harder to work with than random functions, due to the
lack of independence between values on diﬀerent points. Let’s look at some probabilistic computations involving
them. In all of the following, the probability is taken over a random choice of π from Perm(), meaning that we
have executed the operation π
$
← Perm().
Cryptography: Lecture Notes 67
(1) Fix X, Y ∈ ¦0, 1¦
. Then:
Pr [π(X) = Y ] = 2
−
.
This is the same as if π had been selected at random from Func(,) rather than from Perm(). However,
the similarity vanishes when more than one point is to be considered.
(2) Fix X
1
, X
2
∈ ¦0, 1¦
and Y
1
, Y
2
∈ ¦0, 1¦
L
, and assume X
1
= X
2
. Then
Pr [π(X
1
) = Y
1
[ π(X
2
) = Y
2
] =
1
2
−1
if Y
1
= Y
2
0 if Y
1
= Y
2
The above is a conditional probability, and says that if we know the value of π on X
1
, its value on a
diﬀerent point X
2
is equally likely to be any Lbit string other than π(X
1
). So there are 2
−1 choices for
π(X
2
), all equally likely, if Y
1
= Y
2
.
(3) Fix X
1
, X
2
∈ ¦0, 1¦
and Y ∈ ¦0, 1¦
L
. Then:
Pr [π(X
1
) = Y and π(X
2
) = Y ] =
0 if X
1
= X
2
2
−
if X
1
= X
2
This is true because a permutation can never map distinct X
1
and X
2
to the same point.
(4) Fix X
1
, X
2
∈ ¦0, 1¦
and Y ∈ ¦0, 1¦
. Then:
Pr [π(X
1
) ⊕π(X
2
) = Y ] =
1
2
−1
if X
1
= X
2
and Y = 0
0 if X
1
= X
2
and Y = 0
0 if X
1
= X
2
and Y = 0
1 if X
1
= X
2
and Y = 0
In the case X
1
= X
2
and Y = 0
this is computed as follows:
Pr [π(X
1
) ⊕π(X
2
) = Y ]
=
¸
Y
1
Pr [π(X
2
) = Y
1
⊕Y [ π(X
1
) = Y
1
] Pr [π(X
1
) = Y
1
]
=
¸
Y1
1
2
−1
1
2
= 2
1
2
−1
1
2
=
1
2
−1
.
Above, the sum is over all Y
1
∈ ¦0, 1¦
. In evaluating the conditional probability, we used item 2 above
and the assumption that Y = 0
.
(5) Suppose l ≤ and let τ: ¦0, 1¦
→ ¦0, 1¦
l
denote the function that on input Y ∈ ¦0, 1¦
returns the ﬁrst l
bits of Y . (Note that although π is a permutation, τ(π()) is not a permutation when l < .) Fix distinct
X
1
, X
2
∈ ¦0, 1¦
, Y
1
∈ ¦0, 1¦
L
and Z
2
∈ ¦0, 1¦
l
. Then:
Pr [τ(π(X
2
)) = Z
2
[ π(X
1
) = Y
1
] =
2
−l
2
−1
if Z
2
= Y
1
[1 . . . l]
2
−l
−1
2
−1
if Z
2
= Y
1
[1 . . . l]
This is computed as follows. Let
S = ¦ Y
2
∈ ¦0, 1¦
: Y
2
[1 . . . l] = Z
2
and Y
2
= Y
1
¦ .
68 Goldwasser and Bellare
We note that [S[ = 2
−l
if Y
1
[1 . . . l] = Z
2
and [S[ = 2
−l
−1 if Y
1
[1 . . . l] = Z
2
. Then
Pr [τ(π(X
2
)) = Z
2
[ π(X
1
) = Y
1
] =
¸
Y2∈S
Pr [π(X
2
) = Y
2
[ π(X
1
) = Y
1
]
= [S[
1
2
−1
,
and the claim follows from what we said about the size of S.
5.3 Pseudorandom functions
A pseudorandom function is a family of functions with the property that the inputoutput behavior of a random
instance of the family is “computationally indistinguishable” from that of a random function. Someone who has
only blackbox access to a function, meaning can only feed it inputs and get outputs, has a hard time telling
whether the function in question is a random instance of the family in question or a random function. The
purpose of this section is to arrive at a suitable deﬁnition of this notion. Later we will look at motivation and
applications.
We ﬁx a family of functions F: /D → R. (You may want to think / = ¦0, 1¦
k
, D = ¦0, 1¦
and R = ¦0, 1¦
L
for some integers k, , L ≥ 1.) Imagine that you are in a room which contains a terminal connected to a computer
outside your room. You can type something into your terminal and send it out, and an answer will come back.
The allowed questions you can type must be elements of the domain D, and the answers you get back will be
elements of the range R. The computer outside your room implements a function g: D → R, so that whenever
you type a value X you get back g(X). However, your only access to g is via this interface, so the only thing
you can see is the inputoutput behavior of g. We consider two diﬀerent ways in which g will be chosen, giving
rise to two diﬀerent “worlds.”
World 0: The function g is drawn at random from Func(D,R), namely, the function g is selected via g
$
←
Func(D,R).
World 1: The function g is drawn at random from F, namely, the function g is selected via g
$
← F. (Recall
this means that a key is chosen via K
$
← / and then g is set to F
K
.)
You are not told which of the two worlds was chosen. The choice of world, and of the corresponding function g,
is made before you enter the room, meaning before you start typing questions. Once made, however, these
choices are ﬁxed until your “session” is over. Your job is to discover which world you are in. To do this, the only
resource available to you is your link enabling you to provide values X and get back g(X). After trying some
number of values of your choice, you must make a decision regarding which world you are in. The quality of
pseudorandom family F can be thought of as measured by the diﬃculty of telling, in the above game, whether
you are in World 0 or in World 1.
In the formalization, the entity referred to as “you” above is an algorithm called the adversary. The adversary
algorithm A may be randomized. We formalize the ability to query g as giving A an oracle which takes input
any string X ∈ D and returns g(X). We write A
g
to mean that adversary A is being given oracle access to
function g. (It can only interact with the function by giving it inputs and examining the outputs for those
inputs; it cannot examine the function directly in any way.) Algorithm A can decide which queries to make,
perhaps based on answers received to previous queries. Eventually, it outputs a bit b which is its decision as to
which world it is in. Outputting the bit “1” means that A “thinks” it is in world 1; outputting the bit “0” means
that A thinks it is in world 0. The following deﬁnition associates to any such adversary a number between 0
and 1 that is called its prfadvantage, and is a measure of how well the adversary is doing at determining which
world it is in. Further explanations follow the deﬁnition.
Deﬁnition 5.6 Let F: /D → R be a family of functions, and let A be an algorithm that takes an oracle for
a function g: D → R, and returns a bit. We consider two experiments:
Cryptography: Lecture Notes 69
Experiment Exp
prf1
F
(A)
K
$
← /
b
$
← A
F
K
Return b
Experiment Exp
prf0
F
(A)
g
$
← Func(D,R)
b
$
← A
g
Return b
The prfadvantage of A is deﬁned as
Adv
prf
F
(A) = Pr
Exp
prf1
F
(A) = 1
−Pr
Exp
prf0
F
(A) = 1
.
It should be noted that the family F is public. The adversary A, and anyone else, knows the description of the
family and is capable, given values K, X, of computing F(K, X).
The worlds are captured by what we call experiments. The ﬁrst experiment picks a random instance F
K
of
family F and then runs adversary A with oracle g = F
K
. Adversary A interacts with its oracle, querying it
and getting back answers, and eventually outputs a “guess” bit. The experiment returns the same bit. The
second experiment picks a random function g: D → R and runs A with this as oracle, again returning A’s
guess bit. Each experiment has a certain probability of returning 1. The probability is taken over the random
choices made in the experiment. Thus, for the ﬁrst experiment, the probability is over the choice of K and any
random choices that A might make, for A is allowed to be a randomized algorithm. In the second experiment,
the probability is over the random choice of g and any random choices that A makes. These two probabilities
should be evaluated separately; the two experiments are completely diﬀerent.
To see how well A does at determining which world it is in, we look at the diﬀerence in the probabilities that
the two experiments return 1. If A is doing a good job at telling which world it is in, it would return 1 more
often in the ﬁrst experiment than in the second. So the diﬀerence is a measure of how well A is doing. We call
this measure the prfadvantage of A. Think of it as the probability that A “breaks” the scheme F, with “break”
interpreted in a speciﬁc, technical way based on the deﬁnition.
Diﬀerent adversaries will have diﬀerent advantages. There are two reasons why one adversary may achieve a
greater advantage than another. One is that it is more “clever” in the questions it asks and the way it processes
the replies to determine its output. The other is simply that it asks more questions, or spends more time
processing the replies. Indeed, we expect that as an adversary sees more and more inputoutput examples of g,
or spends more computing time, its ability to tell which world it is in should go up.
The “security” of family F as a pseudorandom function must thus be thought of as depending on the resources
allowed to the attacker. We may want to want to know, for any given resource limitations, what is the prf
advantage achieved by the most “clever” adversary amongst all those who are restricted to the given resource
limits.
The choice of resources to consider can vary. One resource of interest is the timecomplexity t of A. Another
resource of interest is the number of queries q that A asks of its oracle. Another resource of interest is the total
length µ of all of A’s queries. When we state results, we will pay attention to such resources, showing how they
inﬂuence maximal adversarial advantage.
Let us explain more about the resources we have mentioned, giving some important conventions underlying
their measurement. The ﬁrst resource is the timecomplexity of A. To make sense of this we ﬁrst need to ﬁx
a model of computation. We ﬁx some RAM model, as discussed in Chapter 1. Think of the model used in
your algorithms courses, often implicitly, so that you could measure the running time. However, we adopt the
convention that the timecomplexity of A refers not just to the running time of A, but to the maximum of
the running times of the two experiments in the deﬁnition, plus the size of the code of A. In measuring the
running time of the ﬁrst experiment, we must count the time to choose the key K at random, and the time to
compute the value F
K
(x) for any query x made by A to its oracle. In measuring the running time of the second
experiment, we count the time to choose the random function g in a dynamic way, meaning we count the cost
of maintaining a table of values of the form (X, g(X)). Entries are added to the table as g makes queries. A
new entry is made by picking the output value at random.
The number of queries made by A captures the number of inputoutput examples it sees. In general, not all
70 Goldwasser and Bellare
strings in the domain must have the same length, and hence we also measure the sum of the lengths of all
queries made.
The strength of this deﬁnition lies in the fact that it does not specify anything about the kinds of strategies
that can be used by a adversary; it only limits its resources. A adversary can use whatever means desired to
distinguish the function as long as it stays within the speciﬁed resource bounds.
What do we mean by a “secure” PRF? Deﬁnition 5.6 does not have any explicit condition or statement regarding
when F should be considered “secure.” It only associates to any adversary A attacking F a prfadvantage
function. Intuitively, F is “secure” if the value of the advantage function is “low” for all adversaries whose
resources are “practical.”
This is, of course, not formal. However, we wish to keep it this way because it better reﬂects reality. In real
life, security is not some absolute or boolean attribute; security is a function of the resources invested by an
attacker. All modern cryptographic systems are breakable in principle; it is just a question of how long it takes.
This is our ﬁrst example of a cryptographic deﬁnition, and it is worth spending time to study and understand
it. We will encounter many more as we go along. Towards this end let us summarize the main features of the
deﬁnitional framework as we will see them arise later. First, there are experiments, involving an adversary. Then,
there is some advantage function associated to an adversary which returns the probability that the adversary
in question “breaks” the scheme. These two components will be present in all deﬁnitions. What varies is the
experiments; this is where we pin down how we measure security.
5.4 Pseudorandom permutations
A family of functions F: /D → D is a pseudorandom permutation if the inputoutput behavior of a random
instance of the family is “computationally indistinguishable” from that of a random permutation on D.
In this setting, there are two kinds of attacks that one can consider. One, as before, is that the adversary gets
an oracle for the function g being tested. However when F is a family of permutations, one can also consider
the case where the adversary gets, in addition, an oracle for g
−1
. We consider these settings in turn. The ﬁrst
is the setting of chosenplaintext attacks while the second is the setting of chosenciphertext attacks.
5.4.1 PRP under CPA
We ﬁx a family of functions F: / D → D. (You may want to think / = ¦0, 1¦
k
and D = ¦0, 1¦
, since this
is the most common case. We do not mandate that F be a family of permutations although again this is the
most common case.) As before, we consider an adversary A that is placed in a room where it has oracle access
to a function g chosen in one of two ways.
World 0: The function g is drawn at random from Perm(D), namely, we choose g according to g
$
← Perm(D).
World 1: The function g is drawn at random from F, namely g
$
← F. (Recall this means that a key is chosen
via K
$
← / and then g is set to F
K
.)
Notice that World 1 is the same in the PRF setting, but World 0 has changed. As before the task facing the
adversary A is to determine in which world it was placed based on the inputoutput behavior of g.
Deﬁnition 5.7 Let F: /D → D be a family of functions, and let A be an algorithm that takes an oracle for
a function g: D → D, and returns a bit. We consider two experiments:
Experiment Exp
prpcpa1
F
(A)
K
$
← /
b
$
← A
F
K
Return b
Experiment Exp
prpcpa0
F
(A)
g
$
← Perm(D)
b
$
← A
g
Return b
Cryptography: Lecture Notes 71
The prpcpaadvantage of A is deﬁned as
Adv
prpcpa
F
(A) = Pr
Exp
prpcpa1
F
(A) = 1
−Pr
Exp
prpcpa0
F
(A) = 1
.
The intuition is similar to that for Deﬁnition 5.6. The diﬀerence is that here the “ideal” object that F is being
compared with is no longer the family of random functions, but rather the family of random permutations.
Experiment Exp
prpcpa1
F
(A) is actually identical to Exp
prf1
F
(A). The probability is over the random choice
of key K and also over the coin tosses of A if the latter happens to be randomized. The experiment returns
the same bit that A returns. In Experiment Exp
prpcpa0
F
(A), a permutation g: D → D is chosen at random,
and the result bit of A’s computation with oracle g is returned. The probability is over the choice of g and the
coins of A if any. As before, the measure of how well A did at telling the two worlds apart, which we call the
prpcpaadvantage of A, is the diﬀerence between the probabilities that the experiments return 1.
Conventions regarding resource measures also remain the same as before. Informally, a family F is a secure
PRP under CPA if Adv
prpcpa
F
(A) is “small” for all adversaries using a “practical” amount of resources.
5.4.2 PRP under CCA
We ﬁx a family of permutations F: / D → D. (You may want to think / = ¦0, 1¦
k
and D = ¦0, 1¦
, since
this is the most common case. This time, we do mandate that F be a family of permutations.) As before,
we consider an adversary A that is placed in a room, but now it has oracle access to two functions, g and its
inverse g
−1
. The manner in which g is chosen is the same as in the CPA case, and once g is chosen, g
−1
is
automatically deﬁned, so we do not have to say how it is chosen.
World 0: The function g is drawn at random from Perm(D), namely via g
$
← Perm(D). (So g is just a random
permutation on D.)
World 1: The function g is drawn at random from F, namely g
$
← F.
In World 1 we let g
−1
= F
−1
K
be the inverse of the chosen instance, while in World 0 it is the inverse of the
chosen random permutation. As before the task facing the adversary A is to determine in which world it was
placed based on the inputoutput behavior of its oracles.
Deﬁnition 5.8 Let F: /D → D be a family of permutations, and let A be an algorithm that takes an oracle
for a function g: D → D, and also an oracle for the function g
−1
: D → D, and returns a bit. We consider two
experiments:
Experiment Exp
prpcca1
F
(A)
K
$
← /
b
$
← A
F
K
,F
−1
K
Return b
Experiment Exp
prpcca0
F
(A)
g
$
← Perm(D)
b
$
← A
g,g
−1
Return b
The prpccaadvantage of A is deﬁned as
Adv
prpcca
F
(A) = Pr
Exp
prpcca1
F
(A) = 1
−Pr
Exp
prpcca0
F
(A) = 1
.
The intuition is similar to that for Deﬁnition 5.6. The diﬀerence is that here the adversary has more power: not
only can it query g, but it can directly query g
−1
. Conventions regarding resource measures also remain the
same as before. However, we will be interested in some additional resource parameters. Speciﬁcally, since there
are now two oracles, we can count separately the number of queries, and total length of these queries, for each.
As usual, informally, a family F is a secure PRP under CCA if Adv
prpcca
F
(A) is “small” for all adversaries
using a “practical” amount of resources.
72 Goldwasser and Bellare
5.4.3 Relations between the notions
If an adversary does not query g
−1
the oracle might as well not be there, and the adversary is eﬀectively
mounting a chosenplaintext attack. Thus we have the following:
Proposition 5.9 [PRPCCA implies PRPCPA] Let F: /D → D be a family of permutations and let A
be a (PRPCPA attacking) adversary. Suppose that A runs in time t, asks q queries, and these queries total µ
bits. Then there exists a (PRPCCA attacking) adversary B that runs in time t, asks q chosenplaintext queries,
these queries totaling µ bits, and asks no chosenciphertext queries, where
Adv
prpcca
F
(B) ≥ Adv
prpcpa
F
(A) .
Though the technical result is easy, it is worth stepping back to explain its interpretation. The theorem says
that if you have an adversary A that breaks F in the PRPCPA sense, then you have some other adversary B
breaks F in the PRPCCA sense. Furthermore, the adversary B will be just as eﬃcient as the adversary A was.
As a consequence, if you think there is no reasonable adversary B that breaks F in the PRPCCA sense, then
you have no choice but to believe that there is no reasonable adversary A that breaks F in the PRPCPA sense.
The inexistence of a reasonable adversary B that breaks F in the PRPCCA sense means that F is PRPCCA
secure, while the inexistence of a reasonable adversary A that breaks F in the PRPCPA sense means that F
is PRPCPA secure. So PRPCCA security implies PRPCPA security, and a statement like the proposition
above is how, precisely, one makes such a statement.
5.5 Modeling block ciphers
One of the primary motivations for the notions of pseudorandom functions (PRFs) and pseudorandom permu
tations (PRPs) is to model block ciphers and thereby enable the security analysis of protocols that use block
ciphers.
As discussed in Section 4.6, classically the security of DES or other block ciphers has been looked at only with
regard to key recovery. That is, analysis of a block cipher F has focused on the following question: Given some
number of inputoutput examples
(X
1
, F
K
(X
1
)), . . . , (X
q
, F
K
(X
q
))
where K is a random, unknown key, how hard is it to ﬁnd K? The block cipher is taken as “secure” if the
resources required to recover the key are prohibitive. Yet, as we saw, even a cursory glance at common block
cipher usages shows that hardness of key recovery is not suﬃcient for security. We had discussed wanting a
master security property of block ciphers under which natural usages of block ciphers could be proven secure.
We suggest that this master property is that the block cipher be a secure PRP, under either CPA or CCA.
We cannot prove that speciﬁc block ciphers have this property. The best we can do is assume they do, and
then go on to use them. For quantitative security assessments, we would make speciﬁc conjectures about the
advantage functions of various block ciphers. For example we might conjecture something like:
Adv
prpcpa
DES
(A
t,q
) ≤ c
1
t/T
DES
2
55
+c
2
q
2
40
for any adversary A
t,q
that runs in time at most t and asks at most q 64bit oracle queries. Here T
DES
is the time
to do one DES computation on our ﬁxed RAM model of computation, and c
1
, c
2
are some constants depending
only on this model. In other words, we are conjecturing that the best attacks are either exhaustive key search
or linear cryptanalysis. We might be bolder with regard to AES and conjecture something like
Adv
prpcpa
AES
(B
t,q
) ≤ c
1
t/T
AES
2
128
+c
2
q
2
128
.
for any adversary B
t,q
that runs in time at most t and asks at most q 128bit oracle queries. We could also
make similar conjectures regarding the strength of block ciphers as PRPs under CCA rather than CPA.
Cryptography: Lecture Notes 73
More interesting is Adv
prf
DES
(t, q). Here we cannot do better than assume that
Adv
prf
DES
(A
t,q
) ≤ c
1
t/T
DES
2
55
+
q
2
2
64
Adv
prf
AES
(B
t,q
) ≤ c
1
t/T
AES
2
128
+
q
2
2
128
.
for any adversaries A
t,q
, B
t,q
running in time at most t and making at most q oracle queries. This is due to
the birthday attack discussed later. The second term in each formula arises simply because the object under
consideration is a family of permutations.
We stress that these are all conjectures. There could exist highly eﬀective attacks that break DES or AES as a
PRF without recovering the key. So far, we do not know of any such attacks, but the amount of cryptanalytic
eﬀort that has focused on this goal is small. Certainly, to assume that a block cipher is a PRF is a much
stronger assumption than that it is secure against key recovery. Nonetheless, the motivation and arguments we
have outlined in favor of the PRF assumption stay, and our view is that if a block cipher is broken as a PRF
then it should be considered insecure, and a replacement should be sought.
5.6 Example Attacks
Let us illustrate the models by providing adversaries that attack diﬀerent function families in these models.
Example 5.10 We deﬁne a family of functions F: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
L
as follows. We let k = L and
view a kbit key K as specifying an L row by column matrix of bits. (To be concrete, assume the ﬁrst L
bits of K specify the ﬁrst column of the matrix, the next L bits of K specify the second column of the matrix,
and so on.) The input string X = X[1] . . . X[] is viewed as a sequence of bits, and the value of F(K, x) is the
corresponding matrix vector product. That is
F
K
(X) =
K[1, 1] K[1, 2] K[1, ]
K[2, 1] K[2, 2] K[2, ]
.
.
.
.
.
.
K[L, 1] K[L, 2] K[L, ]
¸
¸
¸
¸
¸
X[1]
X[2]
.
.
.
X[l]
¸
¸
¸
¸
¸
=
Y [1]
Y [2]
.
.
.
Y [L]
¸
¸
¸
¸
¸
where
Y [1] = K[1, 1] x[1] ⊕K[1, 2] x[2] ⊕ . . . ⊕K[1, ] x[]
Y [2] = K[2, 1] x[1] ⊕K[2, 2] x[2] ⊕ . . . ⊕K[2, ] x[]
.
.
. =
.
.
.
Y [L] = K[L, 1] x[1] ⊕K[L, 2] x[2] ⊕ . . . ⊕K[L, ] x[] .
Here the bits in the matrix are the bits in the key, and arithmetic is modulo two. The question we ask is whether
F is a “secure” PRF. We claim that the answer is no. The reason is that one can design an adversary algorithm
A that achieves a high advantage (close to 1) in distinguishing between the two worlds.
We observe that for any key K we have F
K
(0
) = 0
L
. This is a weakness since a random function of bits
to Lbits is very unlikely to return 0
L
on input 0
, and thus this fact can be the basis of a distinguishing
adversary. Let us now show how the adversary works. Remember that as per our model it is given an oracle
g: ¦0, 1¦
→ ¦0, 1¦
L
and will output a bit. Our adversary D works as follows:
Adversary D
g
Y ← g(0
)
if Y = 0
L
then return 1 else return 0
This adversary queries its oracle at the point 0
, and denotes by Y the bit string that is returned. If y = 0
L
it bets that g was an instance of the family F, and if y = 0
L
it bets that g was a random function. Let us now
74 Goldwasser and Bellare
see how well this adversary does. We claim that
Pr
Exp
prf1
F
(D) = 1
= 1
Pr
Exp
prf0
F
(D) = 1
= 2
−L
.
Why? Look at Experiment Exp
prf1
F
(D) as deﬁned in Deﬁnition 5.6. Here g = F
K
for some K. In that case it is
certainly true that g(0
) = 0
L
so by the code we wrote for D the latter will return 1. On the other hand look at
Experiment Exp
prf0
F
(D) as deﬁned in Deﬁnition 5.6. Here g is a random function. As we saw in Example 5.3,
the probability that g(0
) = 0
L
will be 2
−L
, and hence this is the probability that D will return 1. Now as per
Deﬁnition 5.6 we subtract to get
Adv
prf
F
(D) = Pr
Exp
prf1
F
(D) = 1
−Pr
Exp
prf0
F
(D) = 1
= 1 −2
−L
.
Now let t be the time complexity of D. This is O( + L) plus the time for one computation of F, coming to
O(
2
L). The number of queries made by D is just one, and the total length of all queries is l. Our conclusion
is that there exists an extremely eﬃcient adversary whose prfadvantage is very high (almost one). Thus, F is
not a secure PRF.
Example 5.11 . Suppose we are given a secure PRF F: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
L
. We want to use F to
design a PRF G: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
2L
. The input length of G is the same as that of F but the output
length of G is twice that of F. We suggest the following candidate construction: for every kbit key K and
every bit input x
G
K
(x) = F
K
(x)F
K
(x) .
Here “” denotes concatenation of strings, and x denotes the bitwise complement of the string x. We ask
whether this is a “good” construction. “Good” means that under the assumption that F is a secure PRF, G
should be too. However, this is not true. Regardless of the quality of F, the construct G is insecure. Let us
demonstrate this.
We want to specify an adversary attacking G. Since an instance of G maps bits to 2L bits, the adversary D
will get an oracle for a function g that maps bits to 2L bits. In World 0, g will be chosen as a random function
of bits to 2L bits, while in World 1, g will be set to G
K
where K is a random kbit key. The adversary must
determine in which world it is placed. Our adversary works as follows:
Adversary D
g
y
1
← g(1
)
y
2
← g(0
)
Parse y
1
as y
1
= y
1,1
y
1,2
with [y
1,1
[ = [y
1,2
[ = L
Parse y
2
as y
2
= y
2,1
y
2,2
with [y
2,1
[ = [y
2,2
[ = L
if y
1,1
= y
2,2
then return 1 else return 0
This adversary queries its oracle at the point 1
to get back y
1
and then queries its oracle at the point 0
to
get back y
2
. Notice that 1
is the bitwise complement of 0
. The adversary checks whether the ﬁrst half of y
1
equals the second half of y
2
, and if so bets that it is in World 1. Let us now see how well this adversary does.
We claim that
Pr
Exp
prf1
G
(D) = 1
= 1
Pr
Exp
prf0
G
(D) = 1
= 2
−L
.
Why? Look at Experiment Exp
prf1
G
(D) as deﬁned in Deﬁnition 5.6. Here g = G
K
for some K. In that case
we have
G
K
(1
) = F
K
(1
)F
K
(0
)
G
K
(0
) = F
K
(0
)F
K
(1
)
Cryptography: Lecture Notes 75
by deﬁnition of the family G. Notice that the ﬁrst half of G
K
(1
) is the same as the second half of G
K
(0
). So
D will return 1. On the other hand look at Experiment Exp
prf0
G
(D) as deﬁned in Deﬁnition 5.6. Here g is a
random function. So the values g(1
) and g(0
) are both random and independent 2L bit strings. What is the
probability that the ﬁrst half of the ﬁrst string equals the second half of the second string? It is exactly the
probability that two randomly chosen Lbit strings are equal, and this is 2
−L
. So this is the probability that D
will return 1. Now as per Deﬁnition 5.6 we subtract to get
Adv
prf
G
(D) = Pr
Exp
prf1
G
(D) = 1
−Pr
Exp
prf0
G
(D) = 1
= 1 −2
−L
.
Now let t be the time complexity of D. This is O( + L) plus the time for two computations of G, coming to
O( + L) plus the time for four computations of F. The number of queries made by D is two, and the total
length of all queries is 2. Thus we have exhibited an eﬃcient adversary with a very high prfadvantage, showing
that G is not a secure PRF.
5.7 Security against key recovery
We have mentioned several times that security against key recovery is not suﬃcient as a notion of security for
a block cipher. However it is certainly necessary: if key recovery is easy, the block cipher should be declared
insecure. We have indicated that we want to adopt as notion of security for a block cipher the notion of a
PRF or a PRP. If this is to be viable, it should be the case that any function family that is insecure under key
recovery is also insecure as a PRF or PRP. In this section we verify this simple fact. Doing so will enable us to
exercise the method of reductions.
We begin by formalizing security against key recovery. We consider an adversary that, based on inputoutput
examples of an instance F
K
of family F, tries to ﬁnd K. Its advantage is deﬁned as the probability that it
succeeds in ﬁnding K. The probability is over the random choice of K, and any random choices of the adversary
itself.
We give the adversary oracle access to F
K
so that it can obtain inputoutput examples of its choice. We do not
constrain the adversary with regard to the method it uses. This leads to the following deﬁnition.
Deﬁnition 5.12 Let F: / D → R be a family of functions, and let B be an algorithm that takes an oracle
for a function g: D → R and outputs a string. We consider the experiment:
Experiment Exp
kr
F
(B)
K
$
← Keys(F)
K
t
← B
F
K
If K = K
t
then return 1 else return 0
The kradvantage of B is deﬁned as
Adv
kr
F
(B) = Pr
Exp
kr
F
(B) = 1
.
This deﬁnition has been made general enough to capture all types of keyrecovery attacks. Any of the classical
attacks such as exhaustive key search, diﬀerential cryptanalysis or linear cryptanalysis correspond to diﬀerent,
speciﬁc choices of adversary B. They fall in this framework because all have the goal of ﬁnding the key K based
on some number of inputoutput examples of an instance F
K
of the cipher. To illustrate let us see what are the
implications of the classical keyrecovery attacks on DES for the value of the keyrecovery advantage function
of DES. Assuming the exhaustive keysearch attack is always successful based on testing two inputoutput
examples leads to the fact that there exists an adversary B such that Adv
kr
DES
(B) = 1 and B makes two oracle
queries and has running time about 2
55
times the time T
DES
for one computation of DES. On the other hand,
76 Goldwasser and Bellare
linear cryptanalysis implies that there exists an adversary B such that Adv
kr
DES
(B) ≥ 1/2 and B makes 2
44
oracle queries and has running time about 2
44
times the time T
DES
for one computation of DES.
For a more concrete example, let us look at the keyrecovery advantage of the family of Example 5.10.
Example 5.13 Let F: ¦0, 1¦
k
¦0, 1¦
l
→ ¦0, 1¦
L
be the family of functions from Example 5.10. We saw that
its prfadvantage was very high. Let us now compute its kradvantage. The following adversary B recovers the
key. We let e
j
be the lbit binary string having a 1 in position j and zeros everywhere else. We assume that the
manner in which the key K deﬁnes the matrix is that the ﬁrst L bits of K form the ﬁrst column of the matrix,
the next L bits of K form the second column of the matrix, and so on.
Adversary B
F
K
K
t
← λ // λ is the empty string
for j = 1, . . . , l do
y
j
← F
K
(e
j
)
K
t
← K
t
y
j
return K
t
The adversary B invokes its oracle to compute the output of the function on input e
j
. The result, y
j
, is exactly
the jth column of the matrix associated to the key K. The matrix entries are concatenated to yield K
t
, which
is returned as the key. Since the adversary always ﬁnds the key we have
Adv
kr
F
(B) = 1 .
The timecomplexity of this adversary is t = O(l
2
L) since it makes q = l calls to its oracle and each computation
of F
K
takes O(lL) time. The parameters here should still be considered small: l is 64 or 128, which is small for
the number of queries. So F is insecure against keyrecovery.
Note that the F of the above example is less secure as a PRF than against keyrecovery: its advantage function
as a PRF had a value close to 1 for parameter values much smaller than those above. This leads into our next
claim, which says that for any given parameter values, the kradvantage of a family cannot be signiﬁcantly more
than its prf or prpcpa advantage.
Proposition 5.14 Let F: /D → R be a family of functions, and let B be a keyrecovery adversary against
F. Assume B’s running time is at most t and it makes at most q < [D[ oracle queries. Then there exists a PRF
adversary A against F such that A has running time at most t plus the time for one computation of F, makes
at most q + 1 oracle queries, and
Adv
kr
F
(B) ≤ Adv
prf
F
(A) +
1
[R[
. (5.1)
Furthermore if D = R then there also exists a PRP CPA adversary A against F such that A has running time
at most t plus the time for one computation of F, makes at most q + 1 oracle queries, and
Adv
kr
F
(B) ≤ Adv
prpcpa
F
(A) +
1
[D[ −q
. (5.2)
The Proposition implies that if a family of functions is a secure PRF or PRP then it is also secure against all
keyrecovery attacks. In particular, if a block cipher is modeled as a PRP or PRF, we are implicitly assuming
it to be secure against keyrecovery attacks.
Before proceeding to a formal proof let us discuss the underlying ideas. The problem that adversary A is trying
to solve is to determine whether its given oracle g is a random instance of F or a random function of D to R.
A will run B as a subroutine and use B’s output to solve its own problem.
Cryptography: Lecture Notes 77
B is an algorithm that expects to be in a world where it gets an oracle F
K
for some random key K ∈ /, and
it tries to ﬁnd K via queries to its oracle. For simplicity, ﬁrst assume that B makes no oracle queries. Now,
when A runs B, it produces some key K
t
. A can test K
t
by checking whether F(K
t
, x) agrees with g(x) for
some value x. If so, it bets that g was an instance of F, and if not it bets that g was random.
If B does make oracle queries, we must ask how A can run B at all. The oracle that B wants is not available.
However, B is a piece of code, communicating with its oracle via a prescribed interface. If you start running B,
at some point it will output an oracle query, say by writing this to some prescribed memory location, and stop.
It awaits an answer, to be provided in another prescribed memory location. When that appears, it continues
its execution. When it is done making oracle queries, it will return its output. Now when A runs B, it will
itself supply the answers to B’s oracle queries. When B stops, having made some query, A will ﬁll in the reply
in the prescribed memory location, and let B continue its execution. B does not know the diﬀerence between
this “simulated” oracle and the real oracle except in so far as it can glean this from the values returned.
The value that B expects in reply to query x is F
K
(x) where K is a random key from /. However, A returns
to it as the answer to query x the value g(x), where g is A’s oracle. When A is in World 1, g(x) is an instance
of F and so B is functioning as it would in its usual environment, and will return the key K with a probability
equal to its kradvantage. However when A is in World 0, g is a random function, and B is getting back values
that bear little relation to the ones it is expecting. That does not matter. B is a piece of code that will run to
completion and produce some output. When we are in World 0, we have no idea what properties this output
will have. But it is some key in /, and A will test it as indicated above. It will fail the test with high probability
as long as the test point x was not one that B queried, and A will make sure the latter is true via its choice of
x. Let us now proceed to the actual proof.
Proof of Proposition 5.14: We prove the ﬁrst equation and then brieﬂy indicate how to alter the proof to
prove the second equation.
As per Deﬁnition 5.6, adversary A will be provided an oracle for a function g: D → R, and will try to determine
in which World it is. To do so, it will run adversary B as a subroutine. We provide the description followed by
an explanation and analysis.
Adversary A
g
i ← 0
Run adversary B, replying to its oracle queries as follows
When B makes an oracle query x do
i ← i + 1 ; x
i
← x
y
i
← g(x
i
)
Return y
i
to B as the answer
Until B stops and outputs a key K
t
Let x be some point in D −¦x
1
, . . . , x
q
¦
y ← g(x)
if F(K
t
, x) = y then return 1 else return 0
As indicated in the discussion preceding the proof, A is running B and itself providing answers to B’s oracle
queries via the oracle g. When B has run to completion it returns some K
t
∈ /, which A tests by checking
whether F(K
t
, x) agrees with g(x). Here x is a value diﬀerent from any that B queried, and it is to ensure that
such a value can be found that we require q < [D[ in the statement of the Proposition. Now we claim that
Pr
Exp
prf1
F
(A) = 1
≥ Adv
kr
F
(B) (5.3)
Pr
Exp
prf0
F
(A) = 1
=
1
[R[
. (5.4)
We will justify these claims shortly, but ﬁrst let us use them to conclude. Subtracting, as per Deﬁnition 5.6, we
get
Adv
prf
F
(A) = Pr
Exp
prf1
F
(A) = 1
−Pr
Exp
prf0
F
(A) = 1
78 Goldwasser and Bellare
≥ Adv
kr
F
(B) −
1
[R[
as desired. It remains to justify Equations (5.3) and (5.4).
Equation (5.3) is true because in Exp
prf1
F
(A) the oracle g is a random instance of F, which is the oracle that
B expects, and thus B functions as it does in Exp
kr
F
(B). If B is successful, meaning the key K
t
it outputs
equals K, then certainly A returns 1. (It is possible that A might return 1 even though B was not successful.
This would happen if K
t
= K but F(K
t
, x) = F(K, x). It is for this reason that Equation (5.3) is in inequality
rather than an equality.) Equation (5.4) is true because in Exp
prf0
F
(A) the function g is random, and since
x was never queried by B, the value g(x) is unpredictable to B. Imagine that g(x) is chosen only when x is
queried to g. At that point, K
t
, and thus F(K
t
, x), is already deﬁned. So g(x) has a 1/[R[ chance of hitting
this ﬁxed point. Note this is true regardless of how hard B tries to make F(K
t
, x) be the same as g(x).
For the proof of Equation (5.2), the adversary A is the same. For the analysis we see that
Pr
Exp
prpcpa1
F
(A) = 1
≥ Adv
kr
F
(B)
Pr
Exp
prpcpa0
F
(A) = 1
≤
1
[D[ −q
.
Subtracting yields Equation (5.2). The ﬁrst equation above is true for the same reason as before. The second
equation is true because in World 0 the map g is now a random permutation of D to D. So g(x) assumes,
with equal probability, any value in D except y
1
, . . . , y
q
, meaning there are at least [D[ − q things it could be.
(Remember R = D in this case.)
The following example illustrates that the converse of the above claim is far from true. The kradvantage of
a family can be signiﬁcantly smaller than its prf or prpcpa advantage, meaning that a family might be very
secure against key recovery yet very insecure as a prf or prp, and thus not useful for protocol design.
Example 5.15 Deﬁne the block cipher E: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
by E
K
(x) = x for all kbit keys K and
all bit inputs x. We claim that it is very secure against keyrecovery but very insecure as a PRP under CPA.
More precisely, we claim that for any adversary B,
Adv
kr
E
(B) = 2
−k
,
regardless of the running time and number of queries made by B. On the other hand there is an adversary A,
making only one oracle query and having a very small running time, such that
Adv
prpcpa
E
(A) ≥ 1 −2
−
.
In other words, given an oracle for E
K
, you may make as many queries as you want, and spend as much time
as you like, before outputting your guess as to the value of K, yet your chance of getting it right is only 2
−k
.
On the other hand, using only a single query to a given oracle g: ¦0, 1¦
→ ¦0, 1¦
, and very little time, you can
tell almost with certainty whether g is an instance of E or is a random function of bits to bits. Why are
these claims true? Since E
K
does not depend on K, an adversary with oracle E
K
gets no information about
K by querying it, and hence its guess as to the value of K can be correct only with probability 2
−k
. On the
other hand, an adversary can test whether g(0
) = 0
, and by returning 1 if and only if this is true, attain a
prpadvantage of 1 −2
−
.
5.8 The birthday attack
Suppose E: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
is a family of permutations, meaning a block cipher. If we are given
an oracle g: ¦0, 1¦
→ ¦0, 1¦
which is either an instance of E or a random function, there is a simple test to
determine which of these it is. Query the oracle at distinct points x
1
, x
2
, . . . , x
q
, and get back values y
1
, y
2
, . . . , y
q
.
Cryptography: Lecture Notes 79
You know that if g were a permutation, the values y
1
, y
2
, . . . , y
q
must be distinct. If g was a random function,
they may or may not be distinct. So, if they are distinct, bet on a permutation.
Surprisingly, this is pretty good adversary, as we will argue below. Roughly, it takes q =
√
2
queries to get an
advantage that is quite close to 1. The reason is the birthday paradox. If you are not familiar with this, you
may want to look at Appendix A.1, and then come back to the following.
This tells us that an instance of a block cipher can be distinguished from a random function based on seeing a
number of inputoutput examples which is approximately 2
/2
. This has important consequences for the security
of block cipher based protocols.
Proposition 5.16 Let E: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
be a family of permutations. Suppose q satisﬁes 2 ≤ q ≤
2
(+1)/2
. Then there is an adversary A, making q oracle queries and having running time about that to do q
computations of E, such that
Adv
prf
E
(A) ≥ 0.3
q(q −1)
2
. (5.5)
Proof of Proposition 5.16: Adversary A is given an oracle g: ¦0, 1¦
→ ¦0, 1¦
and works like this:
Adversary A
g
for i = 1, . . . , q do
Let x
i
be the ith bit string in lexicographic order
y
i
← g(x
i
)
if y
1
, . . . , y
q
are all distinct then return 1, else return 0
Let us now justify Equation (5.5). Letting N = 2
, we claim that
Pr
Exp
prf1
E
(A) = 1
= 1 (5.6)
Pr
Exp
prf0
E
(A) = 1
= 1 −C(N, q) . (5.7)
Here C(N, q), as deﬁned in Appendix A.1, is the probability that some bin gets two or more balls in the
experiment of randomly throwing q balls into N bins. We will justify these claims shortly, but ﬁrst let us use
them to conclude. Subtracting, we get
Adv
prf
E
(A) = Pr
Exp
prf1
E
(A) = 1
−Pr
Exp
prf0
E
(A) = 1
= 1 −[1 −C(N, q)]
= C(N, q)
≥ 0.3
q(q −1)
2
.
The last line is by Proposition A.1. It remains to justify Equations (5.6) and (5.7).
Equation (5.6) is clear because in World 1, g = E
K
for some key K, and since E is a family of permutations, g is
a permutation, and thus y
1
, . . . , y
q
are all distinct. Now, suppose A is in World 0, so that g is a random function
of bits to bits. What is the probability that y
1
, . . . , y
q
are all distinct? Since g is a random function and
x
1
, . . . , x
q
are distinct, y
1
, . . . , y
q
are random, independently distributed values in ¦0, 1¦
. Thus we are looking
at the birthday problem. We are throwing q balls into N = 2
bins and asking what is the probability of there
being no collisions, meaning no bin contains two or more balls. This is 1 − C(N, q), justifying Equation (5.7).
80 Goldwasser and Bellare
5.9 The PRP/PRF switching lemma
When we come to analyses of block cipher based constructions, we will ﬁnd a curious dichotomy: PRPs are what
most naturally model block ciphers, but analyses are often considerably simpler and more natural assuming the
block cipher is a PRF. To bridge the gap, we relate the prpsecurity of a block cipher to its prfsecurity. The
following says, roughly, these two measures are always close—they don’t diﬀer by more than the amount given
by the birthday attack. Thus a particular family of permutations E may have prfadvantage that exceeds its
prpadvantage, but not by more than 0.5 q
2
/2
n
.
Lemma 5.17 [PRP/PRF Switching Lemma] Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a function family. Let A
be an adversary that asks at most q oracle queries. Then
Pr[ρ
$
← Func(n) : A
ρ
⇒1] −Pr[π
$
← Perm(n) : A
π
⇒1]
≤
q(q −1)
2
n+1
. (5.8)
As a consequence, we have that
Adv
prf
E
(A) −Adv
prp
E
(A)
≤
q(q −1)
2
n+1
. (5.9)
The lemma is from [16], but a better proof can be found in [23].
5.10 Sequences of families of PRFs and PRPs
Above, the function families we consider have a ﬁnite keyspace, and typcially also domains and ranges that
are ﬁnite sets. A sequence of families of functions is a sequence F
1
, F
2
, F
3
, . . ., written ¦F
n
¦
n≥1
. Each F
n
is a
family of functions with input length l(n), output length L(n) and key length k(n), where l, L, k are functions
of the security parameter n, called the input, output and key lengths of the sequence, respectively.
In modeling block ciphers, families as we have considered them are the appropriate abstraction. There are
several reasons, however, for which we may also want to consider sequences of families. One is that security can
be deﬁned asymptotically, which is deﬁnitionally more convenient, particulary because in that case we do have
a welldeﬁned notion of security, rather than merely having measures of insecurity as above. Also, when we look
to designs whose security is based on the presumed hardness of numbertheoretic problems, we naturally get
sequences of families rather than families. Let us now state the deﬁnition of pseudorandomness for a sequence
of families. (We omit the permutation case, which is analogous.)
Let T = ¦F
n
¦
n≥1
be a sequence of function families with input length l() and output length L(). We say that
T is polynomialtime computable if there is a polynomial p and an algorithm which given n, K and x outputs
F
n
(K, x) in time p(n). To deﬁne security, we now consider a sequence ¦D
n
¦
n≥1
of distinguishers. We say that
T is polynomial time if there is a polynomial p such that D
n
always halts in p(n) steps.
Deﬁnition 5.18 Let T = ¦F
n
¦
n≥1
be a sequence of function families and let T = ¦D
n
¦
n≥1
be a sequence of
distinguishers. The prfadvantage of T is the function Adv
prf
J,1
(), deﬁned for every n by
Adv
prf
J,1
(n) = Adv
prf
F
n(D
n
) .
We say that T is a PRF if it is polynomialtime computable and also the function Adv
prf
J,1
() is negligible for
every polynomialtime distinguisher sequence T.
Notice that this time the deﬁnition insists that the functions themselves can be eﬃciently computed.
Where can we ﬁnd such PRFs? There are a variety of ways. We can build them out of pseudorandom bit
generators or oneway functions, a conservative but to date ineﬃcient approach. There are more eﬃcient
constructions whose security is based on the presumed hardness of speciﬁc numbertheoretic problems.
Cryptography: Lecture Notes 81
The notion of a pseudorandom bit generator (PRBG) was discussed in Chapter 3. Recall it is a polynomial
time computable function G which takes a k bit seed and produces a p(k) > k bit sequence of bits that look
random to any eﬃcient test.
The ﬁrst construction of PRF families was from PRBGs which are length doubling: the output length is twice
the input length.
Theorem 5.19 [97] Given a lengthdoubling pseudorandom bit generator we can construct a sequence of fam
ilies T which is a PRF.
The construction, called the binary tree construction, is like this. The function G induces a tree of functions
G
z
in the following way:
• Deﬁne G
0
(x) ◦ G
1
(x) = G(x) where k = [G
0
(x)[ = [G
1
(x)[.
• Deﬁne G
z◦0
(x) ◦ G
z◦1
(x) = G
z
(x) where k = [G
z◦0
[ = [G
z◦1
[.
Then f
i
(x) is deﬁned in terms of the binary tree induced by G as follows: ∀xf
i
(x) = G
x
(i). We now let
T = ¦F
k
¦
k≥1
where F
k
is ¦f
i
: ¦0, 1¦
k
→ ¦0, 1¦
k
[[i[ = k¦. It is shown in [97] that this is secure.
Another construction based on a primitive called synthesizers was given by Naor and Reingold [150]. This yields
a PRBG based construction which is more parallelizable than the binary tree based one.
We saw before that we can construct PRBGs from oneway functions [115, 111]. It follows from the above
that we can build (inﬁnite) PRF families from oneway functions. Furthermore, one can see that given any
pseudorandom function family one can construct a oneway function [114]. Thus we have the following.
Theorem 5.20 There exists a sequence of families which is a PRF if and only if there exist oneway functions.
This is quite a strong statement. Oneway functions are a seemingly weak primitive, a priori quite unrelated to
PRFs. Yet the one can be transformed into the other. Unfortunately the construction is not eﬃcient enough
to be practical.
Naor and Reingold have suggested a construction of a sequence of families T = ¦F
n
¦
n≥1
which they prove is a
PRF assuming that the DDH (Decisional DiﬃeHellman) problem is hard [151]. In this construct, evaluation
of particular function from F
n
on an l(n)bit input requires l(n) modular multiplications and one modular
exponentiation, over an underlying group.
5.11 Some applications of PRFs
5.11.1 Cryptographically Strong Hashing
Let P
1
, P
2
be polynomials so that ∀x, P
1
(x) > P
2
(x). Deﬁne F
P
1
,P
2
= ¦f : ¦0, 1¦
P
1
(k)
→ ¦0, 1¦
P
1
(k)
¦. Then we
wish to hash names into address where [Name[ = P
1
(k) and [Address[ = P
2
(k). We may use pseudorandom
functions to hash these names so that Address = f
i
(Name).
Claim 5.21 If there exist one way functions, then for all polynomials P, and for all integers k suﬃciently
large, the previous hashing algorithm admits no more than O(
1
2
√
Address
) +
1
P(k)
collisions even if, after ﬁxing the
scheme, the names are chosen by an adversary with access to previous (Name, Address) pairs.
5.11.2 Prediction
A prediction test T(1
k
)
82 Goldwasser and Bellare
1. queries an oracle for f ∈ F
k
, discovering (x
1
, f(x
1
)), . . . , (x
l
, f(x
l
)),
2. outputs an “exam”, x, and
3. is given y so that with probability
1
2
, y = f(x) (otherwise, y is chosen randomly in ¦0, 1¦
]f(x)]
−¦f(x)¦).
4. outputs 1 if it guesses that y = f(x), 0 otherwise.
F is said to pass the prediction test T if ∀Q ∈ Q[x], ∃k
0
, ∀k > k
0
,
Pr[T(1
k
) guesses correctly given y in step 3] <
1
2
+
1
Q(k)
The above pseudorandom functions then pass all prediction tests (assuming there exist one way functions).
5.11.3 Learning
Deﬁne a concept space S and a concept C ⊆ S. A learner is exposed to a number of pairs (e
i
, ±
i
) where e
i
∈ S
and ±
i
= + ⇔ e
i
∈ C. The learner is then requested to determine if a given e ∈ S is an element of C.
The above pseudorandom function show that if there exist one way functions, then there exist concepts not
learnable in polynomial time. (The concept in this case would be ¦x, f(x)¦ ⊆ ¦x, y¦.)
5.11.4 Identify Friend or Foe
Consider the situation of two forces of war planes ﬁghting an air battle. Each plane wishes to identify potential
targets as friendly or enemy. This can be done using pseudorandom functions in the following way:
1. All the planes on a certain force know i.
2. To identify a target, a plane sends the target a random number r and expects to receive back f
i
(r) if the
target is a friend.
Then, even though the enemy planes see many pairs of the form (x, f(x)), they cannot compute f(y) for y they
have not yet seen.
5.11.5 PrivateKey Encryption
Let A and B privately agree on i. Then to encrypt message m, A produces a random string r and sends
(r, f
i
(r) ⊕ m). B can compute f
i
(r) and so compute f
i
(r) ⊕ m ⊕ f
i
(r) = m. Assuming that there exist one
way functions, such a system is secure again chosen ciphertext attack, that is, secure even if the adversary can
compute (r, f
i
(r)) for a collection of r’s. See Chapter 6 for more on this.
5.12 Historical notes
The concept of pseudorandom functions is due to Goldreich, Goldwasser and Micali [97], while that of pseudoran
dom permutation is due to Luby and Rackoﬀ [138]. These works are in the complexitytheoretic or “asymptotic”
setting, where one considers an inﬁnite sequence of families rather than just one family, and deﬁnes security by
saying that polynomialtime adversaries have “negligible” advantage. The approach used for the bulk of the
current chapter, motivated by the desire to model block ciphers, is called “concrete security,” and originates
with [13]. Deﬁnitions 5.6 and 5.7 are from [13], as are Propositions 5.16 and 5.17.
Cryptography: Lecture Notes 83
5.13 Problems
Problem 5.22 Let E: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
be a secure PRP. Consider the family of permutations
E
t
: ¦0, 1¦
k
¦0, 1¦
2n
→ ¦0, 1¦
2n
deﬁned by for all x, x
t
∈ ¦0, 1¦
n
by
E
t
K
(xx
t
) = E
K
(x)E
K
(x⊕x
t
) .
Show that E
t
is not a secure PRP.
Problem 5.23 Consider the following block cipher E : ¦0, 1¦
3
¦0, 1¦
2
→ ¦0, 1¦
2
:
key 0 1 2 3
0 0 1 2 3
1 3 0 1 2
2 2 3 0 1
3 1 2 3 0
4 0 3 2 1
5 1 0 3 2
6 2 1 0 3
7 3 2 1 0
(The eight possible keys are the eight rows, and each row shows where the points to which 0, 1, 2, and 3 map.)
Compute the maximal prpadvantage an adversary can get (a) with one query, (b) with four queries, and (c)
with two queries.
Problem 5.24 Present a secure construction for the problem of Example 5.11. That is, given a PRF F: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
, construct a PRF G: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
2n
which is a secure PRF as long as F is se
cure.
Problem 5.25 Design a block cipher E : ¦0, 1¦
k
¦0, 1¦
128
→ ¦0, 1¦
128
that is secure (up to a large num
ber of queries) against nonadaptive adversaries, but is completely insecure (even for two queries) against an
adaptive adversary. (A nonadaptive adversary readies all her questions M
1
, . . . , M
q
, in advance, getting back
E
K
(M
1
), ..., E
K
(M
q
). An adaptive adversary is the sort we have dealt with throughout: each query may depend
on prior answers.)
Problem 5.26 Let a[i] denote the ith bit of a binary string i, where 1 ≤ i ≤ [a[. The inner product of nbit
binary strings a, b is
' a, b ` = a[1]b[1]⊕a[2]b[2]⊕ ⊕a[n]b[n] .
A family of functions F: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
L
is said to be innerproduct preserving if for every K ∈ ¦0, 1¦
k
and every distinct x
1
, x
2
∈ ¦0, 1¦
−¦0
¦ we have
' F(K, x
1
), F(K, x
2
) ` = ' x
1
, x
2
` .
Prove that if F is innerproduct preserving then there exists an adversary A, making at most two oracle queries
and having running time 2 T
F
+O(), where T
F
denotes the time to perform one computation of F, such that
Adv
prf
F
(A) ≥
1
2
1 +
1
2
L
.
Explain in a sentence why this shows that if F is innerproduct preserving then F is not a secure PRF.
Problem 5.27 Let E: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
be a block cipher. The twofold cascade of E is the block
cipher E
(2)
: ¦0, 1¦
2k
¦0, 1¦
→ ¦0, 1¦
deﬁned by
E
(2)
(K
1
K
2
, x) = E(K
1
, E(K
2
, x))
for all K
1
, K
2
∈ ¦0, 1¦
k
and all x ∈ ¦0, 1¦
. Prove that if E is a secure PRP then so is E
(2)
.
84 Goldwasser and Bellare
Problem 5.28 Let A be a adversary that makes at most q total queries to its two oracles, f and g, where
f, g : ¦0, 1¦
n
→ ¦0, 1¦
n
. Assume that A never asks the same query X to both of its oracles. Deﬁne
Adv(A) = Pr[π ← Perm(n) : A
π(),π()
= 1] −Pr[π, π
t
← Perm(n) : A
π(),π
()
= 1].
Prove a good upper bound for Adv(A), say Adv(A) ≤ q
2
/2
n
.
Problem 5.29 Let F: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
be a family of functions and r ≥ 1 an integer. The rround
Feistel cipher associated to F is the family of permutations F
(r)
: ¦0, 1¦
rk
¦0, 1¦
2
→ ¦0, 1¦
2
deﬁned as follows
for any K
1
, . . . , K
r
∈ ¦0, 1¦
k
and input x ∈ ¦0, 1¦
2
:
Function F
(r)
(K
1
 K
r
, x)
Parse x as L
0
R
0
with [L
0
[ = [R
0
[ =
For i = 1, . . . , r do
L
i
← R
i−1
; R
i
← F(K
i
, R
i−1
)⊕L
i−1
EndFor
Return L
r
R
r
(a) Prove that there exists an adversary A, making at most two oracle queries and having running time about
that to do two computations of F, such that
Adv
prf
F
(2)
(A) ≥ 1 −2
−
.
(b) Prove that there exists an adversary A, making at most two queries to its ﬁrst oracle and one to its second
oracle, and having running time about that to do three computations of F or F
−1
, such that
Adv
prpcca
F
(3)
(A) ≥ 1 −3 2
−
.
Problem 5.30 Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a function family and let A be an adversary that asks at
most q queries. In trying to construct a proof that [Adv
prp
E
(A) − Adv
prf
E
(A)[ ≤ q
2
/2
n+1
, Michael and Peter
put forward an argument a fragment of which is as follows:
Consider an adversary A that asks at most q oracle queries to a function ρ, where ρ is determined by
randomly sampling from Func(n). Let C (for “collision”) be the event that A asks some two distinct
queries X and X
t
and the oracle returns the same answer. Then clearly
Pr[π
$
← Perm(n) : A
π
⇒1] = Pr[ρ
$
← Func(n) : A
ρ
⇒1 [ C].
Show that Michael and Peter have it all wrong: prove that Pr[π
$
← Perm(n) : A
π
⇒1] is not necessarily the
same as Pr[ρ
$
← Func(n) : A
ρ
⇒1 [ C]. Do this by selecting a number n and constructing an adversary A for
which the left and right sides of the equation above are unequal.
C h a p t e r 6
Privatekey encryption
The symmetric setting considers two parties who share a key and will use this key to imbue communicated data
with various security attributes. The main security goals are privacy and authenticity of the communicated
data. The present chapter looks at privacy and Chapter 9 looks at authenticity. Chapters 4 and 5 describe
tools we shall use here.
6.1 Symmetric encryption schemes
The primitive we will consider is called an encryption scheme. Such a scheme speciﬁes an encryption algorithm,
which tells the sender how to process the plaintext using the key, thereby producing the ciphertext that is
actually transmitted. An encryption scheme also speciﬁes a decryption algorithm, which tells the receiver how
to retrieve the original plaintext from the transmission while possibly performing some veriﬁcation, too. Finally,
there is a keygeneration algorithm, which produces a key that the parties need to share. The formal description
follows.
Deﬁnition 6.1 A symmetric encryption scheme oc = (/, c, T) consists of three algorithms, as follows:
• The randomized key generation algorithm / returns a string K. We let Keys(oc) denote the set of all
strings that have nonzero probability of being output by /. The members of this set are called keys. We
write K
$
← / for the operation of executing / and letting K denote the key returned.
• The encryption algorithm c, which might be randomized or stateful, takes a key K ∈ Keys(oc) and a
plaintext M ∈ ¦0, 1¦
∗
to return a ciphertext C ∈ ¦0, 1¦
∗
∪ ¦⊥¦. We write C
$
← c
K
(M) for the operation
of executing c on K and M and letting C denote the ciphertext returned.
• The deterministic decryption algorithm T takes a key K ∈ Keys(oc) and a ciphertext C ∈ ¦0, 1¦
∗
to
return some M ∈ ¦0, 1¦
∗
∪¦⊥¦. We write M ← T
K
(C) for the operation of executing T on K and C and
letting M denote the message returned.
The scheme is said to provide correct decryption if for any key K ∈ Keys(oc) and any message M ∈ ¦0, 1¦
∗
Pr
C
$
← c
K
(M) : C = ⊥ OR T
K
(C) = M
= 1 .
The keygeneration algorithm, as the deﬁnition indicates, is randomized. It takes no inputs. When it is run, it
ﬂips coins internally and uses these to select a key K. Typically, the key is just a random string of some length,
85
86 Goldwasser and Bellare
in which case this length is called the key length of the scheme. When two parties want to use the scheme, it is
assumed they are in possession of K generated via /.
How they came into joint possession of this key K in such a way that the adversary did not get to know K is
not our concern here, and will be addressed later. For now we assume the key has been shared.
Once in possession of a shared key, the sender can run the encryption algorithm with key K and input message
M to get back a string we call the ciphertext. The latter can then be transmitted to the receiver.
The encryption algorithm may be either randomized or stateful. If randomized, it ﬂips coins and uses those to
compute its output on a given input K, M. Each time the algorithm is invoked, it ﬂips coins anew. In particular,
invoking the encryption algorithm twice on the same inputs may not yield the same response both times.
We say the encryption algorithm is stateful if its operation depends on a quantity called the state that is
initialized in some prespeciﬁed way. When the encryption algorithm is invoked on inputs K, M, it computes a
ciphertext based on K, M and the current state. It then updates the state, and the new state value is stored.
(The receiver does not maintain matching state and, in particular, decryption does not require access to any
global variable or call for any synchronization between parties.) Usually, when there is state to be maintained,
the state is just a counter. If there is no state maintained by the encryption algorithm the encryption scheme
is said to be stateless.
The encryption algorithm might be both randomized and stateful, but in practice this is rare: it is usually one
or the other but not both.
When we talk of a randomized symmetric encryption scheme we mean that the encryption algorithm is ran
domized. When we talk of a stateful symmetric encryption scheme we mean that the encryption algorithm is
stateful.
The receiver, upon receiving a ciphertext C, will run the decryption algorithm with the same key used to create
the ciphertext, namely compute T
K
(C). The decryption algorithm is neither randomized nor stateful.
Many encryption schemes restrict the set of strings that they are willing to encrypt. (For example, perhaps
the algorithm can only encrypt plaintexts of length a positive multiple of some block length n, and can only
encrypt plaintexts of length up to some maximum length.) These kinds of restrictions are captured by having
the encryption algorithm return the special symbol ⊥ when fed a message not meeting the required restriction.
In a stateless scheme, there is typically a set of strings, called the plaintext space, such that
Pr
C
$
← c
K
(M) : C = ⊥
= 1
for all K and all M in the plaintext space. In a stateful scheme, whether or not c
K
(M) returns ⊥ depends not
only on M but also possibly on the value of the state variable. For example, when a counter is being used, it
is typical that there is a limit to the number of encryptions performed, and when the counter reaches a certain
value the encryption algorithm returns ⊥ no matter what message is fed to it.
The correct decryption requirement simply says that decryption works: if a message M is encrypted under a
key K to yield a ciphertext C, then one can recover M by decrypting C under K. This holds, however, only if
C = ⊥. The condition thus says that, for each key K ∈ Keys(oc) and message M ∈ ¦0, 1¦
∗
, with probability
one over the coins of the encryption algorithm, either the latter outputs ⊥ or it outputs a ciphertext C which
upon decryption yields M. If the scheme is stateful, this condition is required to hold for every value of the
state.
Correct decryption is, naturally, a requirement before one can use a symmetric encryption scheme in practice, for
if this condition is not met, the scheme fails to communicate information accurately. In analyzing the security
of symmetric encryption schemes, however, we will see that it is sometimes useful to be able to consider ones
that do not meet this condition.
6.2 Some symmetric encryption schemes
We now provide a few examples of encryption schemes. We stress that not all of the schemes that follow are
secure encryption schemes. Some are secure and some are not, as we will see later. All the schemes here satisfy
Cryptography: Lecture Notes 87
the correct decryption requirement.
6.2.1 The onetimepad encryption scheme
We begin with the classical onetimepad.
Scheme 6.2 [Onetimepad encryption] The onetimepad encryption scheme oc = (/, c, T) is stateful
and deterministic. The keygeneration algorithm simply returns a random kbit string K, where the keylength
k is a parameter of the scheme, so that the key space is Keys(oc) = ¦0, 1¦
k
. The encryptor maintains a counter
ctr which is initially zero. The encryption and decryption algorithms operate as follows:
algorithm c
K
(M)
Let static ctr ← 0
Let m ← [M[
if ctr +m > k then return ⊥
C ← M⊕K[ctr + 1 .. ctr +m]
ctr ← ctr +m
return 'ctr −m, C`
algorithm T
K
('ctr, C`)
Let m ← [M[
if ctr +m > k then return ⊥
M ← C⊕K[ctr + 1 .. ctr +m]
return M
Here X[i .. j] denotes the ith through jth bit of the binary string X. By 'ctr, C` we mean a string that
encodes the number ctr and the string C. The most natural encoding is to encode ctr using some ﬁxed number
of bits, at least lg k, and to prepend this to C. Conventions are established so that every string Y is regarded as
encoding some ctr, C for some ctr, C. The encryption algorithm XORs the message bits with key bits, starting
with the key bit indicated by one plus the current counter value. The counter is then incremented by the length
of the message. Key bits are not reused, and thus if not enough key bits are available to encrypt a message,
the encryption algorithm returns ⊥. Note that the ciphertext returned includes the value of the counter. This
is to enable decryption. (Recall that the decryption algorithm, as per Deﬁnition 6.1, must be stateless and
deterministic, so we do not want it to have to maintain a counter as well.)
6.2.2 Some modes of operation
The following schemes rely either on a family of permutations (i.e., a block cipher) or a family of functions.
Eﬀectively, the mechanisms spell out how to use the block cipher to encrypt. We call such a mechanism a
mode of operation of the block cipher. For some of the schemes it is convenient to assume that the length of the
message to be encrypted is a positive multiple of a block length associated to the family. Accordingly, we will let
the encryption algorithm returns ⊥ if this is not the case. In practice, one could pad the message appropriately
so that the padded message always had length a positive multiple of the block length, and apply the encryption
algorithm to the padded message. The padding function should be injective and easily invertible. In this way
you would create a new encryption scheme.
The ﬁrst scheme we consider is ECB (Electronic Codebook Mode), whose security is considered in Section 6.5.1.
Scheme 6.3 [ECB mode] Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher. Operating it in ECB (Electronic
Code Book) mode yields a stateless symmetric encryption scheme oc = (/, c, T). The keygeneration algorithm
simply returns a random key for the block cipher, meaning it picks a random string K
$
← / and returns it. The
encryption and decryption algorithms are depicted in Figure 6.1. “Break M into nbit blocks M[1] M[m]”
means to set m = [M[/n and, for i ∈ ¦1, . . . , m¦, set M[i] to the ith nbit block in M, that is, (i − 1)n + 1
through in of M. Similarly for breaking C into C[1] C[m]. Notice that this time the encryption algorithm
did not make any random choices. (That does not mean it is not, technically, a randomized algorithm; it is
simply a randomized algorithm that happened not to make any random choices.)
The next scheme, cipherblock chaining (CBC) with random initial vector, is the most popular blockcipher
mode of operation, used pervasively in practice.
88 Goldwasser and Bellare
algorithm c
K
(M)
if ([M[ mod n = 0 or [M[ = 0) then return ⊥
Break M into nbit blocks M[1] M[m]
for i ← 1 to m do
C[i] ← E
K
(M[i])
C ← C[1] C[m]
return C
algorithm T
K
(C)
if ([C[ mod n = 0 or [C[ = 0) then return ⊥
Break C into nbit blocks C[1] C[m]
for i ← 1 to m do
M[i] ← E
−1
K
(C[i])
M ← M[1] M[m]
return M
Figure 6.1: ECB mode.
algorithm c
K
(M)
if ([M[ mod n = 0 or [M[ = 0) then return ⊥
Break M into nbit blocks M[1] M[m]
C[0] ← IV
$
← ¦0, 1¦
n
for i ← 1 to m do
C[i] ← E
K
(C[i −1]⊕M[i])
C ← C[1] C[m]
return 'IV, C`
algorithm T
K
('IV, C`)
if ([C[ mod n = 0 or [M[ = 0) then return ⊥
Break C into nbit blocks C[1] C[m]
C[0] ← IV
for i ← 1 to m do
M[i] ← E
−1
K
(C[i])⊕C[i −1])
M ← M[1] M[m]
return M
Figure 6.2: CBC$ mode.
Scheme 6.4 [CBC$ mode] Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher. Operating it in CBC mode
with random IV yields a stateless symmetric encryption scheme, oc = (/, c, T). The key generation algorithm
simply returns a random key for the block cipher, K
$
← /. The encryption and decryption algorithms are
depicted in Figure 6.2. The IV (“initialization vector”) is C[0], which is chosen at random by the encryption
algorithm. This choice is made independently each time the algorithm is invoked.
For the following schemes it is useful to introduce some notation. If n ≥ 1 and i ≥ 0 are integers then we let
NtS
n
(i) denote the nbit string that is the binary representation of integer i mod 2
n
. If we use a number i ≥ 0
in a context for which a string I ∈ ¦0, 1¦
n
is required, it is understood that we mean to replace i by I = NtS
n
(i).
The following is a counterbased version of CBC mode, whose security is considered in Section 6.5.3.
Scheme 6.5 [CBCC mode] Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher. Operating it in CBC mode
with counter IV yields a stateful symmetric encryption scheme, oc = (/, c, T). The key generation algorithm
Cryptography: Lecture Notes 89
algorithm c
K
(M)
static ctr ← 0
if ([M[ mod n = 0 or [M[ = 0) then return ⊥
Break M into nbit blocks M[1] M[m]
if ctr ≥ 2
n
then return ⊥
C[0] ← IV ← [ctr]
n
for i ← 1 to m do
C[i] ← E
K
(C[i −1]⊕M[i])
C ← C[1] C[m]
ctr ← ctr + 1
return 'IV, C`
algorithm T
K
('IV, C`)
if ([C[ mod n = 0 or [C[ = 0) then return ⊥
Break C into nbit blocks C[1] C[m]
if IV +m > 2
n
then return ⊥
C[0] ← IV
for i ← 1 to m do
M[i] ← E
−1
K
(C[i])⊕C[i −1])
M ← M[1] M[m]
return M
Figure 6.3: CBCC mode.
simply returns a random key for the block cipher, K
$
← /. The encryptor maintains a counter ctr which is
initially zero. The encryption and decryption algorithms are depicted in Figure 6.3. The IV (“initialization
vector”) is C[0], which is set to the current value of the counter. The counter is then incremented each time a
message is encrypted. The counter is a static variable, meaning that its value is preserved across invocations of
the encryption algorithm.
The CTR (counter) modes that follow are not much used, to the best of our knowledge, but perhaps wrongly
so. We will see later that they have good privacy properties. In contrast to CBC, the encryption procedure is
parallelizable, which can be exploited to speed up the process in the presence of hardware support. It is also
the case that the methods work for strings of arbitrary bit lengths, without doing anything “special” to achieve
this end. There are two variants of CTR mode, one random and the other stateful, and, as we will see later,
their security properties are diﬀerent. For security analyses see Section 6.7 and Section 6.10.1.
Scheme 6.6 [CTR$ mode] Let F: / ¦0, 1¦
→ ¦0, 1¦
L
be a family of functions. (Possibly a block
cipher, but not necessarily.) Then CTR mode over F with a random starting point is a probabilistic, stateless
symmetric encryption scheme, oc = (/, c, T). The keygeneration algorithm simply returns a random key
for E. The encryption and decryption algorithms are depicted in Figure 6.4. The starting point R is used to
deﬁne a sequence of values on which F
K
is applied to produce a “pseudo onetime pad” to which the plaintext
is XORed. The starting point R chosen by the encryption algorithm is a random bit string. To add an bit
string R to an integer i—when we write F
K
(R + i)—convert the bit string R into an integer in the range
[0 .. 2
−1] in the usual way, add this number to i, take the result modulo 2
, and then convert this back into an
bit string. Note that the starting point R is included in the ciphertext, to enable decryption. On encryption,
the pad Pad is understood to be the empty string when m = 0.
We now give the counterbased version of CTR mode.
Scheme 6.7 [CTRC mode] Let F: /¦0, 1¦
→ ¦0, 1¦
L
be a family of functions. (Possibly a block cipher,
but not necessarily.) Operating it in CTR mode with a counter starting point is a stateful symmetric encryption
90 Goldwasser and Bellare
algorithm c
K
(M)
m ← [M[/L
R
$
← ¦0, 1¦
Pad ← F
K
(R + 1)F
K
(R + 2) F
K
(R +m)
Pad ← the ﬁrst [M[ bits of Pad
C
t
← M⊕Pad
C ← RC
t
return C
algorithm T
K
(C)
if [C[ < then return ⊥
Parse C into RC
t
where [R[ =
m ← [C
t
[/L
Pad ← F
K
(R + 1)F
K
(R + 2) F
K
(R +m)
Pad ← the ﬁrst [C
t
[ bits of Pad
M ← C
t
⊕Pad
return M
Figure 6.4: CTR$ mode using a family of functions F: / ¦0, 1¦
→ ¦0, 1¦
L
. This version of counter mode is
randomized and stateless.
scheme, oc = (/, c, T), which we call CTRC. The keygeneration algorithm simply returns a random key for F.
The encryptor maintains a counter ctr which is initially zero. The encryption and decryption algorithms are
depicted in Figure 6.5. Position index ctr is not allowed to wrap around: the encryption algorithm returns ⊥
if this would happen. The position index is included in the ciphertext in order to enable decryption. The
encryption algorithm updates the position index upon each invocation, and begins with this updated value the
next time it is invoked.
We will return to the security of these schemes after we have developed the appropriate notions.
6.3 Issues in privacy
Let us ﬁx a symmetric encryption scheme oc = (/, c, T). Two parties share a key K for this scheme, this key
having being generated as K
$
← /. The adversary does not a priori know K. We now want to explore the issue
of what the privacy of the scheme might mean. For this chapter, security is privacy, and we are trying to get
to the heart of what security is about.
The adversary is assumed able to capture any ciphertext that ﬂows on the channel between the two parties. It
can thus collect ciphertexts, and try to glean something from them. Our ﬁrst question is: what exactly does
“glean” mean? What tasks, were the adversary to accomplish them, would make us declare the scheme insecure?
And, correspondingly, what tasks, were the adversary unable to accomplish them, would make us declare the
scheme secure?
It is easier to think about insecurity than security, because we can certainly identify adversary actions that
indubitably imply the scheme is insecure. So let us begin here.
For example, if the adversary can, from a few ciphertexts, derive the underlying key K, it can later decrypt
anything it sees, so if the scheme allowed easy key recovery from a few ciphertexts it is deﬁnitely insecure.
Now, the mistake that is often made is to go on to reverse this, saying that if key recovery is hard, then the
scheme is secure. This is certainly not true, for there are other possible weaknesses. For example, what if,
given the ciphertext, the adversary could easily recover the plaintext M without ﬁnding the key? Certainly the
scheme is insecure then too.
Cryptography: Lecture Notes 91
algorithm c
K
(M)
static ctr ← 0
m ← [M[/L
If ctr +m ≥ 2
then return ⊥
Pad ← F
K
(ctr + 1)F
K
(ctr + 2) F
K
(ctr +m)
Pad ← the ﬁrst [M[ bits of Pad
C ← M⊕Pad
ctr ← ctr +m
return 'ctr −m, C`
algorithm T
K
('i, C`)
m ← [C[/L
Pad ← F
K
(i + 1)F
K
(i + 2) F
K
(i +m)
Pad ← the ﬁrst [C[ bits of Pad
M ← Pad⊕C
return M
Figure 6.5: CTRC mode using a family of functions F: / ¦0, 1¦
→ ¦0, 1¦
L
. This version of counter mode
uses stateful (but deterministic) encryption.
So should we now declare a scheme secure if it is hard to recover a plaintext from the ciphertext? Many people
would say yes. Yet, this would be wrong too.
One reason is that the adversary might be able to ﬁgure out partial information about M. For example, even
though it might not be able to recover M, the adversary might, given C, be able to recover the ﬁrst bit of M,
or the sum of all the bits of M. This is not good, because these bits might carry valuable information.
For a concrete example, say I am communicating to my broker a message which is a sequence of “buy” or “sell”
decisions for a prespeciﬁed sequence of stocks. That is, we have certain stocks, numbered 1 through m, and bit
i of the message is 1 if I want to buy stock i and 0 otherwise. The message is sent encrypted. But if the ﬁrst
bit leaks, the adversary knows whether I want to buy or sell stock 1, which may be something I don’t want to
reveal. If the sum of the bits leaks, the adversary knows how many stocks I am buying.
Granted, this might not be a problem at all if the data were in a diﬀerent format. However, making assumptions,
or requirements, on how users format data, or how they use it, is a bad and dangerous approach to secure
protocol design. An important principle of good cryptographic design is that the encryption scheme should
provide security regardless of the format of the plaintext. Users should not have to worry about the how they
format their data: they format it as they like, and encryption should provide privacy nonetheless.
Put another way, as designers of security protocols, we should not make assumptions about data content or
formats. Our protocols must protect any data, no matter how formatted. We view it as the job of the protocol
designer to ensure this is true.
At this point it should start becoming obvious that there is an inﬁnite list of insecurity properties, and we can
hardly attempt to characterize security as their absence. We need to think about security in a diﬀerent and
more direct way and arrive at some deﬁnition of it.
This important task is surprisingly neglected in many treatments of cryptography, which will provide you with
many schemes and attacks, but never actually deﬁne the goal by saying what an encryption scheme is actually
trying to achieve and when it should be considered secure rather than merely not known to be insecure. This
is the task that we want to address.
One might want to say something like: the encryption scheme is secure if given C, the adversary has no idea
what M is. This however cannot be true, because of what is called a priori information. Often, something
about the message is known. For example, it might be a packet with known headers. Or, it might be an English
word. So the adversary, and everyone else, has some information about the message even before it is encrypted.
92 Goldwasser and Bellare
We want schemes that are secure in the strongest possible natural sense. What is the best we could hope for?
It is useful to make a thought experiment. What would an “ideal” encryption be like? Well, it would be as
though some angel took the message M from the sender and delivered it to the receiver, in some magic way.
The adversary would see nothing at all. Intuitively, our goal is to approximate this as best as possible. We
would like encryption to have the properties of ideal encryption. In particular, no partial information would
leak.
We do deviate from the ideal in one way, though. Encryption is not asked to hide the length of the plaintext
string. This information not only can leak but is usually supposed to be known to the adversary a priori.
As an example, consider the ECB encryption scheme of Scheme 6.3. Given the ciphertext, can an eavesdropping
adversary ﬁgure out the message? It is hard to see how, since it does not know K, and if F is a “good” block
cipher, then it ought to have a hard time inverting F
K
without knowledge of the underlying key. Nonetheless
this is not a good scheme. Consider just the case n = 1 of a single block message. Suppose a missile command
center has just two messages, 1
n
for ﬁre and 0
n
for don’t ﬁre. It keeps sending data, but always one of these
two. What happens? When the ﬁrst ciphertext C
1
goes by, the adversary may not know what is the plaintext.
But then, let us say it sees a missile taking oﬀ. Now, it knows the message M
1
underlying C
1
was 1
n
. But then
it can easily decrypt all subsequent messages, for if it sees a ciphertext C, the message is 1
n
if C = C
1
and 0
n
if C = C
1
.
In a secure encryption scheme, it should not be possible to relate ciphertexts of diﬀerent messages of the same
length in such a way that information is leaked.
Not allowing messageequalities to be leaked has a dramatic implication. Namely, encryption must be proba
bilistic or depend on state information. If not, you can always tell if the same message was sent twice. Each
encryption must use fresh coin tosses, or, say, a counter, and an encryption of a particular message may be
diﬀerent each time. In terms of our setup it means c is a probabilistic or stateful algorithm. That’s why we
deﬁned symmetric encryption schemes, above, to allow these types of algorithms.
The reason this is dramatic is that it goes in many ways against the historical or popular notion of encryption.
Encryption was once thought of as a code, a ﬁxed mapping of plaintexts to ciphertexts. But this is not the
contemporary viewpoint. A single plaintext should have many possible ciphertexts (depending on the random
choices or the state of the encryption algorithm). Yet it must be possible to decrypt. How is this possible? We
have seen several examples above.
One formalization of privacy is what is called perfect security, an informationtheoretic notion introduced by
Shannon and showed by him to be met by the onetime pad scheme. Perfect security asks that regardless of
the computing power available to the adversary, the ciphertext provides it no information about the plaintext
beyond the a priori information it had prior to seeing the ciphertext. Perfect security is a very strong attribute,
but achieving it requires a key as long as the total amount of data encrypted, and this is not usually practical.
So here we look at a notion of computational security. The security will only hold with respect to adversaries
of limited computing power. If the adversary works harder, she can ﬁgure out more, but a “feasible” amount
of eﬀort yields no noticeable information. This is the important notion for us and will be used to analyze the
security of schemes such as those presented above.
6.4 Indistinguishability under chosenplaintext attack
Having discussed the issues in Section 6.3 above, we will now distill a formal deﬁnition of security.
6.4.1 Deﬁnition
The basic idea behind indistinguishability (or, more fully, leftorright indistinguishability under a chosen
plaintext attack) is to consider an adversary (not in possession of the secret key) who chooses two messages
of the same length. Then one of the two messages is encrypted, and the ciphertext is given to the adversary.
The scheme is considered secure if the adversary has a hard time telling which of the two messages was the one
encrypted.
Cryptography: Lecture Notes 93
Oracle c
K
(LR(M
0
, M
1
, b)) // b ∈ {0, 1} and M
0
, M
1
∈ {0, 1}
∗
if [M
0
[ = [M
1
[ then return ⊥
C
$
← c
K
(M
b
)
return C
Figure 6.6: Leftorright (lor) encryption oracle used to deﬁne INDCPA security of encryption scheme oc =
(/, c, T).
We will actually give the adversary a little more power, letting her choose a whole sequence of pairs of equal
length messages. Let us now detail the game.
The adversary chooses a sequence of pairs of messages, (M
0,1
, M
1,1
), . . . , (M
0,q
, M
1,q
), where, in each pair, the
two messages have the same length. We give to the adversary a sequence of ciphertexts C
1
, . . . , C
q
where either
(1) C
i
is an encryption of M
0,i
for all 1 ≤ i ≤ q or, (2) C
i
is an encryption of M
1,i
for all 1 ≤ i ≤ q. In doing
the encryptions, the encryption algorithm uses the same key but fresh coins, or an updated state, each time.
The adversary gets the sequence of ciphertexts and now it must guess whether M
0,1
, . . . , M
0,q
were encrypted
or M
1,1
, . . . , M
1,q
were encrypted.
To further empower the adversary, we let it choose the sequence of message pairs via a chosen plaintext attack.
This means that the adversary chooses the ﬁrst pair, then receives C
1
, then chooses the second pair, receives C
2
,
and so on. (Sometimes this is called an adaptive chosenplaintext attack, because the adversary can adaptively
choose each query in a way responsive to the earlier answers.)
Let us now formalize this. We ﬁx some encryption scheme oc = (/, c, T). It could be either stateless or
stateful. We consider an adversary A. It is a program which has access to an oracle to which it can provide
as input any pair of equallength messages. The oracle will return a ciphertext. We will consider two possible
ways in which this ciphertext is computed by the oracle, corresponding to two possible “worlds” in which the
adversary “lives”. To do this, ﬁrst deﬁne the leftorright encryption oracle (abbreviated lrencryption oracle)
c
K
(LR(, , b)) as shown in Figure 6.6. The oracle encrypts one of the messages, the choice of which being made
according to the bit b. Now the two worlds are as follows:
World 0: The oracle provided to the adversary is c
K
(LR(, , 0)). So, whenever the adversary makes a query
(M
0
, M
1
) with [M
0
[ = [M
1
[, the oracle computes C
$
← c
K
(M
0
), and returns C as the answer.
World 1: The oracle provided to the adversary is c
K
(LR(, , 1)). So, whenever the adversary makes a query
(M
0
, M
1
) with [M
0
[ = [M
1
[ to its oracle, the oracle computes C
$
← c
K
(M
1
), and returns C as the answer.
We also call the ﬁrst world (or oracle) the “left” world (or oracle), and the second world (or oracle) the “right”
world (or oracle). The problem for the adversary is, after talking to its oracle for some time, to tell which of
the two oracles it was given. Before we pin this down, let us further clarify exactly how the oracle operates.
Think of the oracle as a subroutine to which A has access. Adversary A can make an oracle query (M
0
, M
1
) by
calling the subroutine with arguments (M
0
, M
1
). In one step, the answer is then returned. Adversary A has no
control on how the answer is computed, nor can A see the inner workings of the subroutine, which will typically
depend on secret information that A is not provided. Adversary A has only an interface to the subroutine—the
ability to call it as a blackbox, and get back an answer.
First assume the given symmetric encryption scheme oc is stateless. The oracle, in either world, is probabilistic,
because it calls the encryption algorithm. Recall that this algorithm is probabilistic. Above, when we say
C
$
← c
K
(M
b
), it is implicit that the oracle picks its own random coins and uses them to compute ciphertext C.
The random choices of the encryption function are somewhat “under the rug” here, not being explicitly repre
sented in the notation. But these random bits should not be forgotten. They are central to the meaningfulness
of the notion and the security of the schemes.
If the given symmetric encryption scheme oc is stateful, the oracles, in either world, become stateful, too.
(Think of a subroutine that maintains a “static” variable across successive calls.) An oracle begins with a state
94 Goldwasser and Bellare
value initialized to a value speciﬁed by the encryption scheme. For example, in CTRC mode, the state is an
integer ctr that is initialized to 0. Now, each time the oracle is invoked, it computes c
K
(M
b
) according to the
speciﬁcation of algorithm c. The algorithm may, as a sideeﬀect, update the state, and upon the next invocation
of the oracle, the new state value will be used.
The following deﬁnition associates to a symmetric encryption scheme oc and an adversary A a pair of experi
ments, one capturing each of the worlds described above. The adversary’s advantage, which measures its success
in breaking the scheme, is the diﬀerence in probabilities of the two experiments returning the bit one.
Deﬁnition 6.8 Let oc = (/, c, T) be a symmetric encryption scheme, and let A be an algorithm that has
access to an oracle. We consider the following experiments:
Experiment Exp
indcpa1
SL
(A)
K
$
← /
d
$
← A
L
K
(LR(,,1))
Return d
Experiment Exp
indcpa0
SL
(A)
K
$
← /
d
$
← A
L
K
(LR(,,0))
Return d
The oracle used above is speciﬁed in Figure 6.6. The INDCPA advantage of A is deﬁned as
Adv
indcpa
SL
(A) = Pr
Exp
indcpa1
SL
(A) = 1
−Pr
Exp
indcpa0
SL
(A) = 1
.
As the above indicates, the choice of which world we are in is made just once, at the beginning, before the
adversary starts to interact with the oracle. In world 0, all message pairs sent to the oracle are answered by
the oracle encrypting the left message in the pair, while in world 1, all message pairs are answered by the oracle
encrypting the right message in the pair. The choice of which does not ﬂipﬂop from oracle query to oracle
query.
If Adv
indcpa
SL
(A) is small (meaning close to zero), it means that A is outputting 1 about as often in world 0 as
in world 1, meaning it is not doing a good job of telling which world it is in. If this quantity is large (meaning
close to one—or at least far from zero) then the adversary A is doing well, meaning our scheme oc is not secure,
at least to the extent that we regard A as “reasonable.”
Informally, for symmetric encryption scheme oc to be secure against chosen plaintext attack, the INDCPA
advantage of an adversary must be small, no matter what strategy the adversary tries. However, we have to be
realistic in our expectations, understanding that the advantage may grow as the adversary invests more eﬀort
in its attack. Security is a measure of how large the advantage of the adversary might when compared against
the adversary’s resources.
We consider an encryption scheme to be “secure against chosenplaintext attack” if an adversary restricted
to using “practical” amount of resources (computing time, number of queries) cannot obtain “signiﬁcant”
advantage. The technical notion is called leftorright indistinguishability under chosenplaintext attack, denoted
INDCPA.
We discuss some important conventions regarding the resources of adversary A. The running time of an
adversary A is the worst case execution time of A over all possible coins of A and all conceivable oracle return
values (including return values that could never arise in the experiments used to deﬁne the advantage). Oracle
queries are understood to return a value in unit time, but it takes the adversary one unit of time to read any
bit that it chooses to read. By convention, the running time of A also includes the size of the code of the
adversary A, in some ﬁxed RAM model of computation. This convention for measuring time complexity is the
same as used in other parts of these notes, for all kinds of adversaries.
Other resource conventions are speciﬁc to the INDCPA notion. When the adversary asks its leftorright
encryption oracle a query (M
0
, M
1
) we say that length of this query is max([M
0
[, [M
1
[). (This will equal [M
0
[
for any reasonable adversary since an oracle query with messages of diﬀerent lengths results in the adversary
being returned ⊥, so we can assume no reasonable adversary makes such a query.) The total length of queries
is the sum of the length of each query. We can measure query lengths in bits or in blocks, with block having
some understood number of bits n.
Cryptography: Lecture Notes 95
The resources of the adversary we will typically care about are three. First, its timecomplexity, measured
according to the convention above. Second, the number of oracle queries, meaning the number of message pairs
the adversary asks of its oracle. These messages may have diﬀerent lengths, and our third resource measure is
the sum of all these lengths, denoted µ, again measured according to the convention above.
6.4.2 Alternative interpretation
Let us move on to describe a somewhat diﬀerent interpretation of leftorright indistinguishability. Why is
Adv
indcpa
SL
(A) called the “advantage” of the adversary? We can view the task of the adversary as trying to
guess which world it is in. A trivial guess is for the adversary to return a random bit. In that case, it has
probability 1/2 of being right. Clearly, it has not done anything damaging in this case. The advantage of the
adversary measures how much better than this it does at guessing which world it is in, namely the excess over
1/2 of the adversary’s probability of guessing correctly. In this subsection we will see how the above deﬁnition
corresponds to this alternative view, a view that lends some extra intuition to the deﬁnition and is also useful
in later usages of the deﬁnition.
Proposition 6.9 Let oc = (/, c, T) be a symmetric encryption scheme, and let A be an algorithm that has
access to an oracle that takes input a pair of strings and returns a string. We consider the following experiment:
Experiment Exp
indcpacg
SL
(A)
b
$
← ¦0, 1¦ ; K
$
← /
b
t
$
← A
L
K
(LR(,,b))
if b = b
t
then return 1 else return 0
Then
Adv
indcpa
SL
(A) = 2 Pr
Exp
indcpacg
SL
(A) = 1
−1 .
In the above experiment, adversary A is run with an oracle for world b, where the bit b is chosen at random. A
eventually outputs a bit b
t
, its guess as to the value of b. The experiment returns 1 if A’s guess is correct. Thus,
Pr
Exp
indcpacg
SL
(A) = 1
is the probability that A correctly guesses which world it is in. (The “cg” in the superscript naming the
experiment stands for “correct guess.”) The probability is over the initial choice of world as given by the bit
b, the choice of K, the random choices of c
K
() if any, and the coins of A if any. This value is 1/2 when the
adversary deserves no advantage, since one can guess b correctly by a strategy as simple as “always answer zero”
or “answer with a random bit.” The “advantage” of A can thus be viewed as the excess of this probability over
1/2, which, rescaled, is
2 Pr
Exp
indcpacg
SL
(A) = 1
−1 .
The Proposition says that this rescaled advantage is exactly the same measure as before.
Proof of Proposition 6.9: We let Pr [] be the probability of event “” in the experiment Exp
indcpacg
SL
(A),
and refer below to quantities in this experiment. The claim of the Proposition follows by a straightforward
calculation:
Pr
Exp
indcpacg
SL
(A) = 1
= Pr [b = b
t
]
= Pr [b = b
t
[ b = 1] Pr [b = 1] +Pr [b = b
t
[ b = 0] Pr [b = 0]
96 Goldwasser and Bellare
= Pr [b = b
t
[ b = 1]
1
2
+Pr [b = b
t
[ b = 0]
1
2
= Pr [b
t
= 1 [ b = 1]
1
2
+Pr [b
t
= 0 [ b = 0]
1
2
= Pr [b
t
= 1 [ b = 1]
1
2
+ (1 −Pr [b
t
= 1 [ b = 0])
1
2
=
1
2
+
1
2
(Pr [b
t
= 1 [ b = 1] −Pr [b
t
= 1 [ b = 0])
=
1
2
+
1
2
Pr
Exp
indcpa1
SL
(A) = 1
−Pr
Exp
indcpa0
SL
(A) = 1
=
1
2
+
1
2
Adv
indcpa
SL
(A) .
We began by expanding the quantity of interest via standard conditioning. The term of 1/2 in the third line
emerged because the choice of b is made at random. In the fourth line we noted that if we are asking whether
b = b
t
given that we know b = 1, it is the same as asking whether b
t
= 1 given b = 1, and analogously for b = 0.
In the ﬁfth line and sixth lines we just manipulated the probabilities and simpliﬁed. The next line is important;
here we observed that the conditional probabilities in question are exactly the probabilities that A returns 1 in
the experiments of Deﬁnition 6.8.
6.4.3 Why is this a good deﬁnition?
Our thesis is that we should consider an encryption scheme to be “secure” if and only if it is INDCPA secure,
meaning that the above formalization captures our intuitive sense of privacy, and the security requirements that
one might put on an encryption scheme can be boiled down to this one.
But why? Why does INDCPA capture “privacy”? This is an important question to address and answer.
In particular, here is one concern. In Section 6.3 we noted a number of security properties that are necessary
but not suﬃcient for security. For example, it should be computationally infeasible for an adversary to recover
the key from a few plaintextciphertext pairs, or to recover a plaintext from a ciphertext.
A test of our deﬁnition is that it implies the necessary properties that we have discussed, and others. For
example, a scheme that is secure in the INDCPA sense of our deﬁnition should also be, automatically, secure
against keyrecovery or plaintextrecovery. Later, we will prove such things, and even stronger things. For now,
let us continue to get a better sense of how to work with the deﬁnition by using it to show that certain schemes
are insecure.
6.5 Example chosenplaintext attacks
We illustrate the use of our INDCPA deﬁnition in ﬁnding attacks by providing an attack on ECB mode, and
also a general attack on deterministic, stateless schemes.
6.5.1 Attack on ECB
Let us ﬁx a block cipher E: /¦0, 1¦
n
→ ¦0, 1¦
n
. The ECB symmetric encryption scheme oc = (/, c, T) was
described as Scheme 6.3. Suppose an adversary sees a ciphertext C = c
K
(M) corresponding to some random
plaintext M, encrypted under the key K also unknown to the adversary. Can the adversary recover M? Not
easily, if E is a “good” block cipher. For example if E is AES, it seems quite infeasible. Yet, we have already
discussed how infeasibility of recovering plaintext from ciphertext is not an indication of security. ECB has
other weaknesses. Notice that if two plaintexts M and M
t
agree in the ﬁrst block, then so do the corresponding
ciphertexts. So an adversary, given the ciphertexts, can tell whether or not the ﬁrst blocks of the corresponding
Cryptography: Lecture Notes 97
plaintexts are the same. This is loss of partial information about the plaintexts, and is not permissible in a
secure encryption scheme.
It is a test of our deﬁnition to see that it captures these weaknesses and also ﬁnds the scheme insecure. It does.
To show this, we want to show that there is an adversary that has a high INDCPA advantage while using a
small amount of resources. We now construct such an adversary A. Remember that A is given a lrencryption
oracle c
K
(LR(, , b)) that takes as input a pair of messages and that returns an encryption of either the left or
the right message in the pair, depending on the value of the bit b. The goal of A is to determine the value of b.
Our adversary works like this:
Adversary A
L
K
(LR(,,b))
M
1
← 0
2n
; M
0
← 0
n
1
n
C[1]C[2] ← c
K
(LR(M
0
, M
1
, b))
If C[1] = C[2] then return 1 else return 0
Above, X[i] denotes the ith block of a string X, a block being a sequence of n bits. The adversary’s single
oracle query is the pair of messages M
0
, M
1
. Since each of them is two blocks long, so is the ciphertext computed
according to the ECB scheme. Now, we claim that
Pr
Exp
indcpa1
SL
(A) = 1
= 1 and
Pr
Exp
indcpa0
SL
(A) = 1
= 0 .
Why? You have to return to the deﬁnitions of the quantities in question, and trace through the experiments
deﬁned there. In world 1, meaning b = 1, the oracle returns C[1]C[2] = E
K
(0
n
)E
K
(0
n
), so C[1] = C[2] and A
returns 1. In world 0, meaning b = 0, the oracle returns C[1]C[2] = E
K
(0
n
)E
K
(1
n
). Since E
K
is a permutation,
C[1] = C[2]. So A returns 0 in this case.
Subtracting, we get Adv
indcpa
SL
(A) = 1 − 0 = 1. And A achieved this advantage by making just one oracle
query, whose length, which as per our conventions is just the length of M
0
, is 2n bits. This means that the ECB
encryption schems is insecure.
As an exercise, try to analyze the same adversary as an adversary against CBC$ or CTR modes, and convince
yourself that the adversary will not get a high advantage.
There is an important feature of this attack that must be emphasized. Namely, ECB is an insecure encryption
scheme even if the underlying block cipher E is highly secure. The weakness is not in the tool being used (here
the block cipher) but in the manner we are using it. It is the ECB mechanism that is at fault. Even the best
of tools are useless if you don’t know how to properly use them.
This is the kind of design ﬂaw that we want to be able to spot and eradicate. Our goal is to ﬁnd symmetric
encryption schemes that are secure as long as the underlying block cipher is secure. In other words, the scheme
has no inherent ﬂaw; as long as you use good ingredients, the recipe will produce a good meal.
If you don’t use good ingredients? Well, that is your problem. All bets are oﬀ.
6.5.2 Any deterministic, stateless schemes is insecure
ECB mode is deterministic and stateless, so that if the same message is encrypted twice, the same ciphertext
is returned. It turns out that this property, in general, results in an insecure scheme, and provides perhaps a
better understanding of why ECB fails. Let us state the general fact more precisely.
Proposition 6.10 Let oc = (/, c, T) be a deterministic, stateless symmetric encryption scheme. Assume
there is an integer m such that the plaintext space of the scheme contains two distinct strings of length m.
Then there is an adversary A such that
Adv
indcpa
SL
(A) = 1 .
Adversary A runs in time O(m) and asks just two queries, each of length m.
98 Goldwasser and Bellare
The requirement being made on the message space is minimal; typical schemes have messages spaces containing
all strings of lengths between some minimum and maximum length, possibly restricted to strings of some given
multiples. Note that this Proposition applies to ECB and is enough to show the latter is insecure.
Proof of Proposition 6.10: We must describe the adversary A. Remember that A is given an lrencryption
oracle f = c
K
(LR(, , b)) that takes input a pair of messages and returns an encryption of either the left or
the right message in the pair, depending on the value of b. The goal of A is to determine the value of b. Our
adversary works like this:
Adversary A
f
Let X, Y be distinct, mbit strings in the plaintext space
C
1
← c
K
(LR(X, Y, b))
C
2
← c
K
(LR(Y, Y, b))
If C
1
= C
2
then return 1 else return 0
Now, we claim that
Pr
Exp
indcpa1
SL
(A) = 1
= 1 and
Pr
Exp
indcpa0
SL
(A) = 1
= 0 .
Why? In world 1, meaning b = 1, the oracle returns C
1
= c
K
(Y ) and C
2
= c
K
(Y ), and since the encryption
function is deterministic and stateless, C
1
= C
2
, so A returns 1. In world 0, meaning b = 0, the oracle returns
C
1
= c
K
(X) and C
2
= c
K
(Y ), and since it is required that decryption be able to recover the message, it must
be that C
1
= C
2
. So A returns 0.
Subtracting, we get Adv
indcpa
SL
(A) = 1 −0 = 1. And A achieved this advantage by making two oracle queries,
each of whose length, which as per our conventions is just the length of the ﬁrst message, is m bits.
6.5.3 Attack on CBC encryption with counter IV
Let us ﬁx a block cipher E: / ¦0, 1¦
n
→ ¦0, 1¦
n
. Let oc = (/, c, T) be the corresponding counterbased
version of the CBC encryption mode described in Scheme 6.5. We show that this scheme is insecure. The reason
is that the adversary can predict the counter value.
To justify our claim of insecurity, we present an adversary A. As usual it is given an lrencryption oracle
c
K
(LR(, , b)) and wants to determine b. Our adversary works like this:
Adversary A
L
K
(LR(,,b))
M
0,1
← 0
n
; M
1,1
← 0
n
M
0,2
← 0
n
; M
1,2
← 0
n−1
1
'IV
1
, C
1
`
$
← c
K
(LR(M
0,1
, M
1,1
, b))
'IV
2
, C
2
`
$
← c
K
(LR(M
0,2
, M
1,2
, b))
If C
1
= C
2
then return 1 else return 0
We claim that
Pr
Exp
indcpa1
SL
(A) = 1
= 1 and
Pr
Exp
indcpa0
SL
(A) = 1
= 0 .
Why? First consider the case b = 0, meaning we are in world 0. In that case IV
1
= 0 and IV
2
= 1 and
C
1
= E
K
(0) and C
2
= E
K
(1) and so C
1
= C
2
and the deﬁned experiment returns 0. On the other hand, if
Cryptography: Lecture Notes 99
b = 1, meaning we are in world 1, then IV
1
= 0 and IV
2
1 = 1 and C
1
= E
K
(0) and C
2
= E
K
(0), so the deﬁned
experiment returns 1.
Subtracting, we get Adv
indcpa
SL
(A) = 1 − 0 = 1, showing that A has a very high advantage. Moreover, A is
practical, using very few resources. So the scheme is insecure.
6.6 INDCPA implies PRCPA
In Section 6.3 we noted a number of security properties that are necessary but not suﬃcient for security. For
example, it should be computationally infeasible for an adversary to recover the key from a few plaintext
ciphertext pairs, or to recover a plaintext from a ciphertext. A test of our deﬁnition is that it implies these
properties, in the sense that a scheme that is secure in the sense of our deﬁnition is also secure against key
recovery or plaintextrecovery.
The situation is analogous to what we saw in the case of PRFs. There we showed that a secure PRF is secure
against keyrecovery. In order to have some variation, this time we choose a diﬀerent property, namely plaintext
recovery. We formalize this, and then show if there was an adversary B capable of recovering the plaintext
from a given ciphertext, then this would enable us to construct an adversary A that broke the scheme in the
INDCPA sense (meaning the adversary can identify which of the two worlds it is in). If the scheme is secure
in the INDCPA sense, that latter adversary could not exist, and hence neither could the former.
The idea of this argument illustrates one way to evidence that a deﬁnition is good—say the deﬁnition of left
orright indistinguishability. Take some property that you feel a secure scheme should have, like infeasibility of
key recovery from a few plaintextciphertext pairs, or infeasibility of predicting the XOR of the plaintext bits.
Imagine there were an adversary B that was successful at this task. We should show that this would enable
us to construct an adversary A that broke the scheme in the original sense (leftorright indistinguishability).
Thus the adversary B does not exist if the scheme is secure in the leftorright sense. More precisely, we use
the advantage function of the scheme to bound the probability that adversary B succeeds.
Let us now go through the plaintext recovery example in detail. The task facing the adversary will be to
decrypt a ciphertext which was formed by encrypting a randomly chosen challenge message of some length m.
In the process we want to give the adversary the ability to see plaintextciphertext pairs, which we capture by
giving the adversary access to an encryption oracle. This encryption oracle is not the lrencryption oracle we
saw above: instead, it simply takes input a single message M and returns a ciphertext C
$
← c
K
(M) computed
by encrypting M. To capture providing the adversary with a challenge ciphertext, we choose a random mbit
plaintext M, compute C
$
← c
K
(M), and give C to the adversary. The adversary wins if it can output the
plaintext M corresponding to the ciphertext C.
For simplicity we assume the encryption scheme is stateless, and that ¦0, 1¦
m
is a subset of the plaintext space
associated to the scheme. As usual, when either the encryption or the challenge oracle invoke the encryption
function, it is implicit that they respect the randomized nature of the encryption function, meaning the latter
tosses coins anew upon each invocation of the oracle.
Deﬁnition 6.11 Let oc = (/, c, T) be a stateless symmetric encryption scheme whose plaintext space includes
¦0, 1¦
m
and let B be an algorithm that has access to an oracle. We consider the following experiment:
Experiment Exp
prcpa
SL
(B)
K
$
← /
M
t
$
← ¦0, 1¦
m
C
$
← c
K
(M
t
)
M
$
← B
L
K
()
(C)
If M = M
t
then return 1 else return 0
The PRCPA advantage of B is deﬁned as
Adv
prcpa
SL
(B) = Pr
Exp
prcpa
SL
(B) = 1
.
100 Goldwasser and Bellare
In the experiment above, B is executed with its oracle and challenge ciphertext C. The adversary B wins if
it can correctly decrypt C, and in that case the experiment returns 1. In the process, the adversary can make
encryption oracle queries as it pleases.
The following Proposition says that the probability that an adversary successfully recovers a plaintext from a
challenge ciphertext cannot exceed the INDCPA advantage of the scheme (with resource parameters those of
the plaintext recovery adversary) plus the chance of simply guessing the plaintext. In other words, security in
the INDCPA sense implies security in the PRCPA sense.
Proposition 6.12 [INDCPA ⇒ PRCPA] Let oc = (/, c, T) be a stateless symmetric encryption scheme
whose plaintext space includes ¦0, 1¦
m
. Suppose that B is a (plaintextrecovery) adversary that runs in time t
and asks at most q queries, these queries totaling at most µ bits. Then there exists an adversary A such that
Adv
prcpa
SL
(B) ≤ Adv
indcpa
SL
(A) +
1
2
m
.
Furthermore, the running time of A is that of B plus O(µ+m+c) where c bounds the length of the encryption
of an mbit string. A makes q + 1 oracle queries and these queries total at most µ +m bits.
Proof of Proposition 6.12: As per Deﬁnition 6.8, adversary A will be provided an lrencryption oracle and
will try to determine in which world it resides. To do so, it will run adversary B as a subroutine. We provide
the description followed by an explanation and analysis.
Adversary A
L
K
(LR(,,b))
M
0
$
← ¦0, 1¦
m
; M
1
$
← ¦0, 1¦
m
C ← c
K
(LR(M
0
, M
1
, b))
Run adversary B on input C, replying to its oracle queries as follows
When B makes an oracle query X to g do
Y ← c
K
(LR(X, X, b))
return Y to B as the answer
When B halts and outputs a plaintext M
If M = M
1
then return 1 else return 0
Here A is running B and itself providing answers to B’s oracle queries. To make the challenge ciphertext C
for B, adversary A chooses random messages M
0
and M
1
and uses its lroracle to get the encryption C of
one of them. When B makes an encryption oracle query X, adversary A needs to return c
K
(X). It does this
by invoking its lrencryption oracle, setting both messages in the pair to X, so that regardless of the value of
the bit b, the ciphertext returned is an encryption of X, just as B wants. When B outputs a plaintext M,
adversary A tests whether M = M
1
and if so bets that it is in world 1. Otherwise, it bets that it is in world 0.
Now we claim that
Pr
Exp
indcpa1
SL
(A) = 1
≥ Adv
prcpa
SL
(B) (6.1)
Pr
Exp
indcpa0
SL
(A) = 1
≤ 2
−m
. (6.2)
We will justify these claims shortly, but ﬁrst let us use them to conclude. Subtracting, as per Deﬁnition 6.8, we
get
Adv
indcpa
SL
(A) = Pr
Exp
indcpa1
SL
(A) = 1
−Pr
Exp
indcpa0
SL
(A) = 1
≥ Adv
prcpa
SL
(B) −2
−m
.
It remains to justify Equations (6.1) and (6.2).
Cryptography: Lecture Notes 101
Adversary B will return M = T
K
(C) with probability Adv
prcpa
SL
(B). In world 1, ciphertext C is an encryption
of M
1
, so this means that M = M
1
with probability at least Adv
prcpa
SL
(B), and thus Equation (6.1) is true.
Now assume A is in world 0. In that case, adversary A will return 1 only if B returns M = M
1
. But B is given
no information about M
1
, since C is an encryption of M
0
and M
1
is chosen randomly and independently of M
0
.
It is simply impossible for B to output M
1
with probability greater than 2
−m
. Thus Equation (6.2) is true.
Similar arguments can be made to show that other desired security properties of a symmetric encryption scheme
follow from this deﬁnition. For example, is it possible that some adversary B, given some plaintextciphertext
pairs and then a challenge ciphertext C, can compute the XOR of the bits of M = T
K
(C)? Or the sum of these
bits? Or the last bit of M? Its probability of doing any of these cannot be more than marginally above 1/2
because were it so, we could design an adversary A that won the leftorright game using resources comparable
to those used by B. We leave as an exercise the formulation and working out of other such examples along the
lines of Proposition 6.12.
Of course one cannot exhaustively enumerate all desirable security properties. But you should be moving
towards being convinced that our notion of leftorright security covers all the natural desirable properties of
security under chosen plaintext attack. Indeed, we err, if anything, on the conservative side. There are some
attacks that might in real life be viewed as hardly damaging, yet our deﬁnition declares the scheme insecure
if it succumbs to one of these. That is all right; there is no harm in making our deﬁnition a little demanding.
What is more important is that if there is any attack that in real life would be viewed as damaging, then the
scheme will fail the leftorright test, so that our formal notion too declares it insecure.
6.7 Security of CTR modes
Recall that the CTR (counter) mode of operation of a family of functions comes in two variants: the randomized
(stateless) version CTRC of Scheme 6.6, and the counterbased (stateful) mechanism CTR$ of Scheme 6.7. Both
modes achieve indistinguishability under a chosenplaintext attack, but, interestingly, the quantitative security
is a little diﬀerent. The diﬀerence springs from the fact that CTRC achieves perfect indistinguishability if
one uses the random function family Func(n) in the role of the underlying family of functions F—but CTR$
would not achieve perfect indistinguishability even then, because of the possibility that collisions would produce
“overlaps” in the pseudoonetime pad.
We will state the main theorems about the schemes, discuss them, and then prove them. For the counter version
we have:
Theorem 6.13 [Security of CTRC mode] Let F: / ¦0, 1¦
→ ¦0, 1¦
L
be a family of functions and let
oc = (/, c, T) be the corresponding CTRC symmetric encryption scheme as described in Scheme 6.7. Let A
be an adversary (for attacking the INDCPA security of oc) that runs in time at most t and asks at most q
queries, these totaling at most σ Lbit blocks. Then there exists an adversary B (attacking the PRF security
of F) such that
Adv
indcpa
SL
(A) ≤ Adv
prf
F
(B) .
Furthermore B runs in time at most t
t
= t +O(q + ( +L)σ) and asks at most q
t
= σ oracle queries.
Theorem 6.14 [Security of CTR$ mode] Let F: / ¦0, 1¦
→ ¦0, 1¦
L
be a block cipher and let oc =
(/, c, T) be the corresponding CTR$ symmetric encryption scheme as described in Scheme 6.6. Let A be an
adversary (for attacking the INDCPA security of oc) that runs in time at most t and asks at most q queries,
these totaling at most σ Lbit blocks. Then there exists an adversary B (attacking the PRF security of F) such
that
Adv
indcpa
SL
(A) ≤ Adv
prf
F
(B) +
0.5 σ
2
2
.
Furthermore B runs in time at most t
t
= t +O(q + ( +L)σ) and asks at most q
t
= σ oracle queries.
102 Goldwasser and Bellare
The above theorems exemplify the kinds of results that the provablesecurity approach is about. Namely, we
are able to provide provable guarantees of security of some higher level cryptographic construct (in this case, a
symmetric encryption scheme) based on the assumption that some building block (in this case an underlying
block) is secure. The above results are the ﬁrst example of the “punchline” we have been building towards. So
it is worth pausing at this point and trying to make sure we really understand what these theorems are saying
and what are their implications.
If we want to entrust our data to some encryption mechanism, we want to know that this encryption mechanism
really provides privacy. If it is illdesigned, it may not. We saw this happen with ECB. Even if we used a secure
block cipher, the ﬂaws of ECB mode make it an insecure encryption scheme.
Flaws are not apparent in CTR at ﬁrst glance. But maybe they exist. It is very hard to see how one can be
convinced they do not exist, when one cannot possible exhaust the space of all possible attacks that could be
tried. Yet this is exactly the diﬃculty that the above theorems circumvent. They are saying that CTR mode
does not have design ﬂaws. They are saying that as long as you use a good block cipher, you are assured that
nobody will break your encryption scheme. One cannot ask for more, since if one does not use a good block
cipher, there is no reason to expect security of your encryption scheme anyway. We are thus getting a conviction
that all attacks fail even though we do not even know exactly how these attacks might operate. That is the
power of the approach.
Now, one might appreciate that the ability to make such a powerful statement takes work. It is for this that we
have put so much work and time into developing the deﬁnitions: the formal notions of security that make such
results meaningful. For readers who have less experience with deﬁnitions, it is worth knowing, at least, that the
eﬀort is worth it. It takes time and work to understand the notions, but the payoﬀs are big: you get signiﬁcant
guarantees of security.
How, exactly, are the theorems saying this? The above discussion has pushed under the rug the quantitative
aspect that is an important part of the results. It may help to look at a concrete example.
Example 6.15 Let us suppose that F is the block cipher AES, so that = L = 128. Suppose I want to
encrypt q = 2
30
messages, each being one kilobyte (2
13
bits) long. I am thus encrypting a total of 2
43
bits,
which is to say σ = 2
36
blocks. (This is about one terabyte). Can I do this securely using CTR$? Let A be
an adversary attacking the privacy of my encryption. Theorem 6.14 says that there exists a B satisfying the
stated conditions. How large can Adv
prf
AES
(B) be? It makes q = 2
36
queries, and it is consistent with our state
of knowledge of the security of AES to assume that such an adversary cannot do better than mount a birthday
attack, meaning its advantage is no more than q
2
/2
128
. Then, the theorem tells us that
Adv
rndcpa
SL
(A) ≤
σ
2
2
128
+
0.5 σ
2
2
128
=
1.5 2
72
2
128
≤
1
2
55
.
This is a very small number indeed, saying that our encryption is secure, at least under the assumption that
the best attack on the PRF security of AES is a birthday attack. Note however that if we encrypt 2
64
blocks
of data, all provable security has been lost.
The example illustrates how to use the theorems to ﬁgure out how much security you will get from the CTR
encryption scheme in a given application.
Note that as per the above theorems, encrypting more than σ = 2
/2
blocks of data with CTR$ is not secure
regardless of the quality of F as a PRF. On the other hand, with CTRC, it might be secure, as long as F can
withstand σ queries. This is an interesting and possibly useful distinction. Yet, in the setting in which such
modes are usually employed, the distinction all but vanishes. For, usually, F is a block cipher, and = L is its
block length. In that case, we know from the birthday attack that the prfadvantage of B may itself be as large
as Θ(σ
2
/2
n
), and thus, again, encrypting more than σ = 2
/2
blocks of data is not secure. However, we might
be able to ﬁnd or build function families F that are not families of permutations and preserve PRF security
against adversaries making more than 2
/2
queries.
6.7.1 Proof of Theorem 6.13
Yes, but it is not there now, and this creates a gap. As long as it is
Cryptography: Lecture Notes 103
algorithm c
g
(M)
static ctr ← 0
m ← [M[/L
If ctr +m ≥ 2
then return ⊥
Pad ← g(ctr + 1)g(ctr + 2) g(ctr +m)
Pad ← the ﬁrst [M[ bits of Pad
C ← M⊕Pad
ctr ← ctr +m
return 'ctr −m, C`
algorithm T
g
('i, C`)
m ← [C[/L
Pad ← g(i + 1)g(i + 2) g(i +m)
Pad ← the ﬁrst [C[ bits of Pad
M ← Pad⊕C
return M
Figure 6.7: Version oc[G] = (/, c, T) of the CTRC scheme parameterized by a family of functions G.
The paradigm used is quite general in many of its aspects, and we will use it again, not only for encryption
schemes, but for other kinds of schemes that are based on pseudorandom functions.
An important observation regarding the CTR scheme is that the encryption and decryption operations do not
need direct access to the key K, but only access to a subroutine, or oracle, that implements the function F
K
.
This is important because one can consider what happens when F
K
is replaced by some other function. To
consider such replacements, we reformulate the scheme. We introduce a scheme that takes as a parameter any
given family of functions G having domain ¦0, 1¦
and range ¦0, 1¦
L
. As we will see later the cases of interest are
G = F and G = Func(,L). Let us ﬁrst however describe this parameterized scheme. In the rest of this proof,
oc[G] = (/, c, T) denotes the symmetric encryption scheme deﬁned as follows. The key generation algorithm
simply returns a random instance of G, meaning that it picks a function g
$
← G from family G at random, and
views g as the key. The encryption and decryption algorithms are shown in Figure 6.7. (The scheme is stateful,
with the encryptor maintaining a counter that is initially zero). As the description indicates, the scheme is
exactly CTRC, except that function g is used in place of F
K
. This seemingly cosmetic change of viewpoint is
quite useful, as we will see.
We observe that the scheme in which we are interested, and which the theorem is about, is simply oc[F] where
F is our given family of functions as per the theorem. Now, the proof breaks into two parts. The ﬁrst step
removes F from the picture, and looks instead at an “idealized” version of the scheme. Namely we consider the
scheme oc[Func(,L)]. Here, a random function g of bits to Lbits is being used where the original scheme
would use F
K
. We then assess an adversary’s chance of breaking this idealized scheme. We argue that this
chance is actually zero. This is the main lemma in the analysis.
This step is deﬁnitely a thought experiment. No real implementation can use a random function in place of F
K
because even storing such a function takes an exorbitant amount of memory. But this analysis of the idealized
scheme enables us to focus on any possible weaknesses of the CTR mode itself, as opposed to weaknesses arising
from properties of the underlying block cipher. We can show that this idealized scheme is secure, and that
means that the mode itself is good.
It then remains to see how this “lifts” to a real world, in which we have no ideal random functions, but rather
want to assess the security of the scheme oc[F] that uses the given family F. Here we exploit the notion of
pseudorandomness to say that the chance of an adversary breaking the oc[F] can diﬀer from its chance of
breaking the idealworld scheme oc[Func(,L)] by an amount not exceeding the probability of breaking the
pseudorandomness of F using comparable resources.
Lemma 6.16 [Security of CTRC using a random function] Let A be any INDCPA adversary attacking
104 Goldwasser and Bellare
oc[Func(,L)], where the scheme is depicted in Figure 6.7. Then
Adv
indcpa
SL[Func(,L)]
(A) = 0 .
The lemma considers an arbitrary adversary. Let us say this adversary has timecomplexity t, makes q queries
to its lrencryption oracle, these totaling σ Lbit blocks. The lemma does not care about the values of t, q, or
σ. (Recall, however, that after encrypting a total of 2
blocks, the encryption mechanism will “shut up” and
be of no use.) It says the adversary has zero advantage, meaning no chance at all of breaking the scheme. The
fact that no restriction is made on t indicates that the result is informationtheoretic: it holds regardless of how
much computing time the adversary invests.
Of course, this lemma refers to the idealized scheme, namely the one where the function g being used by the
encryption algorithm is random. But remember that ECB was insecure even in this setting. (The attacks we
provided for ECB work even if the underlying cipher E is Perm(n), the family of all permutations on nbit
strings.) So the statement is not contentfree; it is saying something quite meaningful and important about the
CTR mode. It is not true of all modes.
We postpone the proof of the lemma. Instead we will ﬁrst see how to use it to conclude the proof of the theorem.
The argument here is quite simple and generic.
The lemma tells us that the CTRC encryption scheme is (very!) secure when g is a random function. But we
are interested in the case where g is is an instance of our given family F. So our worry is that the actual scheme
oc[F] is insecure even though the idealized scheme oc[Func(,L)] is secure. In other words, we worry that
there might be an adversary having large INDCPA advantage in attacking oc[F], even though we know that
its advantage in attacking oc[Func(,L)] is zero. But we claim that this is not possible if F is a secure PRF.
Intuitively, the existence of such an adversary indicates that F is not approximating Func(,L) since there is
some detectable event, namely the success probability of some adversary in a certain experiment, that happens
with high probability when F is used and with low probability when Func(,L) is used. To concretize this
intuition, let A be a INDCPA adversary attacking oc[F]. We associate to A an adversary B that is given
oracle access to a function g: ¦0, 1¦
→ ¦0, 1¦
L
and is trying to determine which world it is in, where in world 0 g
is a random instance of Func(,L) and in world 1 g is a random instance of F. We suggest the following strategy
to the adversary. It runs A, and replies to A’s oracle queries in such a way that A is attacking oc[Func(,L)]
in B’s world 0, and A is attacking oc[F] in B’s world 1. The reason it is possible for B to do this is that
it can execute the encryption algorithm c
g
() of Figure 6.7, which simply requires access to the function g. If
the adversary A wins, meaning it correctly identiﬁes the encryption oracle, B bets that g is an instance of F;
otherwise, B bets that g is an instance of Func(,L).
We stress the key point that makes this argument work. It is that the encryption function of the CTRC scheme
invokes the function F
K
purely as an oracle. If it had, instead, made some direct use of the key K, the paradigm
above would not work. The full proof follows.
Proof of Theorem 6.13: Let A be any INDCPA adversary attacking oc = (/, c, T). Assume A makes q
oracle queries totaling µ bits, and has timecomplexity t. There there is an adversary B such that
Adv
indcpa
SL
(A) ≤ 2 Adv
prf
F
(B) . (6.3)
Furthermore, B will make σ oracle queries and have timecomplexity that of A plus O(q +( +L)σ). Now, the
statement of Theorem 6.13 follows.
Remember that B takes an oracle g: ¦0, 1¦
→ ¦0, 1¦
L
. This oracle is either drawn at random from F or from
Func(,L) and B does not know which. To ﬁnd out, B will use A, running it as a subroutine. But remember that
A too gets an oracle, namely an lrencryption oracle. From A’s point of view, this oracle is simply a subroutine:
A can write, at some location, a pair of messages, and is returned a response by some entity it calls its oracle.
When B runs A as a subroutine, it is B that will “simulate” the lrencryption oracle for A, meaning B will
provide the responses to any oracle queries that A makes. Here is the description of B:
Cryptography: Lecture Notes 105
Adversary B
g
b
$
← ¦0, 1¦
Run adversary A, replying to its oracle queries as follows
When A makes an oracle query (M
0
, M
1
) do
C
$
← c
g
(M
b
)
Return C to A as the answer
Until A stops and outputs a bit b
t
If b
t
= b then return 1 else return 0
Here c
g
() denotes the encryption function of the generalized CTRC scheme that we deﬁned in Figure 6.7. The
crucial fact we are exploiting here is that this function can be implemented given an oracle for g. Adversary B
itself picks the challenge bit b representing the choice of worlds for A, and then sees whether or not A succeeds
in guessing the value of this bit. If it does, it bets that g is an instance of F, and otherwise it bets that g is an
instance of Func(,L). For the analysis, we claim that
Pr
Exp
prf1
F
(B) = 1
=
1
2
+
1
2
Adv
indcpa
SL[F]
(A) (6.4)
Pr
Exp
prf0
F
(B) = 1
=
1
2
+
1
2
Adv
indcpa
SL[Func(,L)]
(A) . (6.5)
We will justify these claims shortly, but ﬁrst let us use them to conclude. Subtracting, as per Deﬁnition 5.6, we
get
Adv
prf
F
(B) = Pr
Exp
prf1
F
(B) = 1
−Pr
Exp
prf0
F
(B) = 1
=
1
2
Adv
indcpa
SL[F]
(A) −
1
2
Adv
indcpa
SL[Func(,L)]
(A) (6.6)
=
1
2
Adv
indcpa
SL[F]
(A) .
The last inequality was obtained by applying Lemma 6.16, which told us that the term Adv
indcpa
SL[Func(,L)]
(A)
was simply zero. Rearranging terms gives us Equation (6.3). Now let us check the resource usage. Each
computation c
g
(M
b
) requires [M
b
[/L applications of g, and hence the total number of queries made by B to its
oracle g is σ. The timecomplexity of B equals that of A plus the overhead for answering the oracle queries. It
remains to justify Equations (6.4) and (6.5).
Adversary B returns 1 when b = b
t
, meaning that INDCPA adversary A correctly identiﬁed the world b in
which it was placed, or, in the language of Section 6.4.2, made the “correct guess.” The role played by B’s
world is simply to alter the encryption scheme for which this is true. When B is in world 1, the encryption
scheme, from the point of view of A, is oc[F], and when B is in world 0, the encryption scheme, from the point
of view of A, is oc[Func(,L)]. Thus, using the notation from Section 6.4.2, we have
Pr
Exp
prf1
F
(B) = 1
= Pr
Exp
indcpacg
SL[F]
(A) = 1
Pr
Exp
prf0
F
(B) = 1
= Pr
Exp
indcpacg
SL[Func(,L)]
(A) = 1
.
To obtain Equations (6.4) and (6.5) we can now apply Proposition 6.9.
For someone unused to PRFbased proofs of security the above may seem complex, but the underlying idea is
actually very simple, and will be seen over and over again. It is simply that one can view the experiment of
the INDCPA adversary attacking the encryption scheme as information about the underlying function g being
used, and if the adversary has more success in the case that g is an instance of F than that g is an instance of
Func(,L), then we have a distinguishing test between F and Func(,L). Let us now prove the lemma about the
security of the idealized CTRC scheme.
106 Goldwasser and Bellare
Proof of Lemma 6.16: The intuition is simple. When g is a random function, its value on successive counter
values yields a onetime pad, a truly random and unpredictable sequence of bits. As long as the number of data
bits encrypted does not exceed L2
, we invoke g only on distinct values in the entire encryption process. And
if an encryption would result in more queries than this, the algorithm simply shuts up, so we can ignore this.
The outputs of g are thus random. Since the data is XORed to this sequence, the adversary gets no information
whatsoever about it.
Now, we must make sure that this intuition carries through in our setting. Our lemma statement makes
reference to our notions of security, so we must use the setup in Section 6.4. The adversary A has access to an
lrencryption oracle. Since the scheme we are considering is oc[Func(,L)], the oracle is c
g
(LR(, , b)), where
the function c
g
was deﬁned in Figure 6.7, and g is a random instance of Func(,L), meaning a random function.
The adversary makes some number q of oracle queries. Let (M
i,0
, M
i,1
) be the ith query, and let m
i
be the
number of blocks in M
i,0
. (We can assume this is the same as the number of blocks in M
i,1
, since otherwise the
lrencryption oracle returns ⊥). Let M
i,c
[j] be the value of the jth bit block of M
i,b
for b ∈ ¦0, 1¦. Let C
t
i
be
the response returned by the oracle to query (M
i,0
, M
i,1
). It consists of a value that encodes the counter value,
together with m
i
blocks of bits each, C
i
[1] . . . C
i
[m
i
]. Pictorially:
M
1,b
= M
1,b
[1]M
1,b
[1] . . . M
1,b
[m
1
]
C
1
= '0, C
1
[1] C
1
[m
1
]`
M
2,b
= M
2,b
[1]M
2,b
[2] . . . M
2,b
[m
2
]
C
2
= 'm
1
, C
2
[1] C
2
[m
2
]`
.
.
.
.
.
.
M
q,b
= M
q,b
[1]M
q,b
[2] . . . M
q,b
[m
q
]
C
q
= 'm
1
+ +m
q−1
, C
q
[1] C
q
[m
q
]`
What kind of distribution do the outputs received by A have? We claim that the m
1
+ + m
q
values C
i
[j]
(i = 1, . . . , q and j = 1, . . . , m
i
) are randomly and independently distributed, not only of each other, but of
the queried messages and the bit b, and moreover this is true in both worlds. Why? Here is where we use a
crucial property of the CTR mode, namely that it XORs data with the value of g on a counter. We observe
that according to the scheme
C
i
[j] = g(NtS
l
(m
1
+ +m
i−1
+j)) ⊕
M
i,1
[j] if we are in world 1
M
i,0
[j] if we are in world 0.
Now, we can ﬁnally see that the idea we started with is really the heart of it. The values on which g is being
applied above are all distinct. So the outputs of g are all random and independent. It matters not, then, what
we XOR these outputs with; what comes back is just random.
This tells us that any given output sequence from the oracle is equally likely in both worlds. Since the adversary
determines its output bit based on this output sequence, its probability of returning 1 must be the same in both
worlds,
Pr
Exp
indcpa1
SL[Func(,L)]
(A) = 1
= Pr
Exp
indcpa0
SL[Func(,L)]
(A) = 1
.
Hence A’s INDCPA advantage is zero.
6.7.2 Proof of Theorem 6.14
The proof of Theorem 6.14 reuses a lot of what we did for the proof of Theorem 6.13 above. We ﬁrst look at
the scheme when g is a random function, and then use the pseudorandomness of the given family F to deduce
the theorem. As before we associate to a family of functions G having domain ¦0, 1¦
and range ¦0, 1¦
L
a
parameterized version of the CTR$ scheme, oc[G] = (/, c, T). The key generation algorithm simply returns a
random instance of G, meaning picks a function g
$
← G from family G at random, and views g as the key, and
the encryption and decryption algorithms are shown in Figure 6.8. Here is the main lemma.
Cryptography: Lecture Notes 107
algorithm c
g
(M)
m ← [M[/L
R
$
← ¦0, 1¦
Pad ← g(R + 1)g(R + 2) g(R +m)
Pad ← the ﬁrst [M[ bits of Pad
C
t
← M⊕Pad
C ← RC
t
return C
algorithm T
g
(C)
if [C[ < then return ⊥
Parse C into RC
t
where [R[ =
m ← [C
t
[/L
Pad ← g(R + 1)g(R + 2) g(R +m)
Pad ← the ﬁrst [C
t
[ bits of Pad
M ← C
t
⊕Pad
return M
Figure 6.8: Version oc[G] = (/, c, T) of the CTR$ scheme parameterized by a family of functions G.
Lemma 6.17 [Security of CTR$ using a random function] Let A be any INDCPA adversary attacking
oc[Func(,L)], where the scheme is depicted in Figure 6.8. Then
Adv
indcpa
SL[Func(,L)]
(A) ≤
0.5 σ
2
2
,
assuming A asks a number of queries whose total length is at most σ Lbit blocks.
The proof of Theorem 6.14 given this lemma is easy at this point because it is almost identical to the above
proof of Theorem 6.13, and it is the subject of Problem 6.29. We go on to prove Lemma 6.17.
Before we prove Lemma 6.17, we will analyze a certain probabilistic game. The problem we isolate here is purely
probabilistic; it has nothing to do with encryption or even cryptography.
Lemma 6.18 Let , q be positive integers, and let m
1
, . . . , m
q
< 2
also be positive integers. Suppose we
pick q integers r
1
, . . . , r
q
from [0..2
− 1] uniformly and independently at random. We consider the following
m
1
+ +m
q
numbers:
r
1
+ 1, r
1
+ 2, , r
1
+m
1
r
2
+ 1, r
2
+ 2, , r
2
+m
2
.
.
.
.
.
.
r
q
+ 1, r
q
+ 2, , r
q
+m
q
,
where the addition is performed modulo 2
. We say that a collision occurs if some two (or more) numbers in
the above table are equal. Then
Pr [Col] ≤
(q −1)(m
1
+ +m
q
)
2
, (6.7)
where Col denotes the event that a collision occurs.
Proof of Lemma 6.18: As with many of the probabilistic settings that arise in this area, this is a question
about some kind of “balls thrown in bins” setting, related to the birthday problem studied in Appendix A.1.
Indeed a reader may ﬁnd it helpful to study that appendix ﬁrst.
108 Goldwasser and Bellare
Think of having 2
bins, numbered 0, 1, . . . , 2
−1. We have q balls, numbered 1, . . . , q. For each ball we choose
a random bin which we call r
i
. We choose the bins one by one, so that we ﬁrst choose r
1
, then r
2
, and so
on. When we have thrown in the ﬁrst ball, we have deﬁned the ﬁrst row of the above table, namely the values
r
1
+1, . . . , r
1
+m
1
. Then we pick the assignment r
2
of the bin for the second ball. This deﬁnes the second row
of the table, namely the values r
2
+1, . . . , r
2
+m
2
. A collision occurs if any value in the second row equals some
value in the ﬁrst row. We continue, up to the qth ball, each time deﬁning a row of the table, and are ﬁnally
interested in the probability that a collision occurred somewhere in the process. To upper bound this, we want
to write this probability in such a way that we can do the analysis step by step, meaning view it in terms of
having thrown, and ﬁxed, some number of balls, and seeing whether there is a collision when we throw in one
more ball. To this end let Col
i
denote the event that there is a collision somewhere in the ﬁrst i rows of the
table, for i = 1, . . . , q. Let NoCol
i
denote the event that there is no collision in the ﬁrst i rows of the table, for
i = 1, . . . , q. Then by conditioning we have
Pr [Col] = Pr [Col
q
]
= Pr [Col
q−1
] +Pr [Col
q
[ NoCol
q−1
] Pr [NoCol
q−1
]
≤ Pr [Col
q−1
] +Pr [Col
q
[ NoCol
q−1
]
≤
.
.
.
≤ Pr [Col
1
] +
q
¸
i=2
Pr [Col
i
[ NoCol
i−1
]
=
q
¸
i=2
Pr [Col
i
[ NoCol
i−1
] .
Thus we need to upper bound the chance of a collision upon throwing the ith ball, given that there was no
collision created by the ﬁrst i −1 balls. Then we can sum up the quantities obtained and obtain our bound.
We claim that for any i = 2, . . . , q we have
Pr [Col
i
[ NoCol
i−1
] ≤
(i −1)m
i
+m
i−1
+ +m
1
2
. (6.8)
Let us ﬁrst see why this proves the lemma and then return to justify it. From the above and Equation (6.8) we
have
Pr [Col] ≤
q
¸
i=2
Pr [Col
i
[ NoCol
i−1
]
≤
q
¸
i=2
(i −1)m
i
+m
i−1
+ +m
1
2
=
(q −1)(m
1
+ +m
q
)
2
.
How did we do the last sum? The term m
i
occurs with weight i −1 in the ith term of the sum, and then with
weight 1 in the jth term of the sum for j = i + 1, . . . , q. So its total weight is (i −1) + (q −i) = q −1.
It remains to prove Equation (6.8). To get some intuition about it, begin with the cases i = 1, 2. When we
throw in the ﬁrst ball, the chance of a collision is zero, since there is no previous row with which to collide,
so that is simple. When we throw in the second, what is the chance of a collision? The question is, what is
the probability that one of the numbers r
2
+ 1, . . . , r
2
+ m
2
deﬁned by the second ball is equal to one of the
numbers r
1
+ 1, . . . , r
1
+m
1
already in the table? View r
1
as ﬁxed. Observe that a collision occurs if and only
if r
1
−m
2
+ 1 ≤ r
2
≤ r
1
+m
1
−1. So there are (r
1
+m
1
−1) −(r
1
−m
2
+ 1) + 1 = m
1
+m
2
−1 choices of r
2
that could yield a collision. This means that Pr [Col
2
[ NoCol
1
] ≤ (m
2
+m
1
−1)/2
.
Cryptography: Lecture Notes 109
We need to extend this argument as we throw in more balls. So now suppose i −1 balls have been thrown in,
where 2 ≤ i ≤ q, and suppose there is no collision in the ﬁrst i −1 rows of the table. We throw in the ith ball,
and want to know what is the probability that a collision occurs. We are viewing the ﬁrst i − 1 rows of the
table as ﬁxed, so the question is just what is the probability that one of the numbers deﬁned by r
i
equals one
of the numbers in the ﬁrst i −1 rows of the table. A little thought shows that the worst case (meaning the case
where the probability is the largest) is when the existing i − 1 rows are well spreadout. We can upper bound
the collision probability by reasoning just as above, except that there are i −1 diﬀerent intervals to worry about
rather than just one. The ith row can intersect with the ﬁrst row, or the second row, or the third, and so on,
up to the (i −1)th row. So we get
Pr [Col
i
[ NoCol
i−1
] ≤
(m
i
+m
1
−1) + (m
i
+m
2
−1) + + (m
i
+m
i−1
−1)
2
=
(i −1)m
i
+m
i−1
+ +m
1
−(i −1)
2
,
and Equation (6.8) follows by just dropping the negative term in the above.
Let us now extend the proof of Lemma 6.16 to prove Lemma 6.17.
Proof of Lemma 6.17: Recall that the idea of the proof of Lemma 6.16 was that when g is a random function,
its value on successive counter values yields a onetime pad. This holds whenever g is applied on some set of
distinct values. In the counter case, the inputs to g are always distinct. In the randomized case they may not be
distinct. The approach is to consider the event that they are distinct, and say that in that case the adversary
has no advantage; and on the other hand, while it may have a large advantage in the other case, that case does
not happen often. We now ﬂush all this out in more detail.
The adversary makes some number q of oracle queries. Let (M
i,0
, M
i,1
) be the ith query, and let m
i
be the
number of blocks in M
i,0
.(We can assume this is the same as the number of blocks in M
i,1
, since otherwise the
lrencryption oracle returns ⊥). Let M
i,b
[j] be the value of the jth Lbit block of M
i,b
for b ∈ ¦0, 1¦. Let C
t
i
be
the response returned by the oracle to query (M
i,0
, M
i,1
). It consists of the encoding of a number r
i
∈ [0..2
−1]
and a m
i
block message C
i
= C
i
[1] C
i
[m
i
]. Pictorially:
M
1,b
= M
1,b
[1]M
1,b
[1] . . . M
1,b
[m
1
]
C
1
= 'r
1
, C
1
[1] C
1
[m
1
]`
M
2,b
= M
2,b
[1]M
2,b
[2] M
2,b
[m
2
]
C
2
= 'r
2
, C
2
[1] . . . C
2
[m
2
]`
.
.
.
.
.
.
M
q,b
= M
q,b
[1]M
q,b
[2] M
q,b
[m
q
]
C
q
= 'r
q
, C
q
[1] . . . C
q
[m
q
]`
Let NoCol be the event that the following m
1
+ +m
q
values are all distinct:
r
1
+ 1, r
1
+ 2, , r
1
+m
1
r
2
+ 1, r
2
+ 2, , r
2
+m
2
.
.
.
.
.
.
r
q
+ 1, r
q
+ 2, , r
q
+m
q
Let Col be the complement of the event NoCol, meaning the event that the above table contains at least two
values that are the same. It is useful for the analysis to introduce the following shorthand:
Pr
0
[] = The probability of event “” in world 0
Pr
0
[] = The probability of event “” in world 1 .
110 Goldwasser and Bellare
We will use the following three claims, which are proved later. The ﬁrst claim says that the probability of a
collision in the above table does not depend on which world we are in.
Claim 1: Pr
1
[Col] = Pr
0
[Col]. 2
The second claim says that A has zero advantage in winning the leftorright game in the case that no collisions
occur in the table. Namely, its probability of outputting one is identical in these two worlds under the assumption
that no collisions have occurred in the values in the table.
Claim 2: Pr
0
[A = 1 [ NoCol] = Pr
1
[A = 1 [ NoCol]. 2
We can say nothing about the advantage of A if a collision does occur in the table. It might be big. However,
it will suﬃce to know that the probability of a collision is small. Since we already know that this probability is
the same in both worlds (Claim 1) we bound it just in world 0:
Claim 3: Pr
0
[Col] ≤
σ
2
2
. 2
Let us see how these put together complete the proof of the lemma, and then go back and prove them.
Proof of Lemma given Claims: It is a simple conditioning argument:
Adv
indcpa
SL[Func(,L)]
(A)
= Pr
1
[A = 1] −Pr
0
[A = 1]
= Pr
1
[A = 1 [ Col] Pr
1
[Col] +Pr
1
[A = 1 [ NoCol] Pr
1
[NoCol]
− Pr
0
[A = 1 [ Col] Pr
0
[Col] −Pr
0
[A = 1 [ NoCol] Pr
0
[NoCol]
= (Pr
1
[A = 1 [ Col] −Pr
0
[A = 1 [ Col]) Pr
0
[Col]
≤ Pr
0
[Col] .
The secondlast step used Claims 1 and 2. In the last step we simply upper bounded the parenthesized expression
by 1. Now apply Claim 3, and we are done. 2
It remains to prove the three claims.
Proof of Claim 1: The event NoCol depends only on the random values r
1
, . . . , r
q
chosen by the encryption
algorithm c
g
(). These choices, however, are made in exactly the same way in both worlds. The diﬀerence in
the two worlds is what message is encrypted, not how the random values are chosen. 2
Proof of Claim 2: Given the event NoCol, we have that, in either game, the function g is evaluated at a new point
each time it is invoked. Thus the output is randomly and uniformly distributed over ¦0, 1¦
L
, independently
of anything else. That means the reasoning from the counterbased scheme as given in Lemma 6.16 applies.
Namely, we observe that according to the scheme
C
i
[j] = g(r
i
+j) ⊕
M
i,1
[j] if we are in world 1
M
i,0
[j] if we are in world 0.
Thus each cipher block is a message block XORed with a random value. A consequence of this is that each
cipher block has a distribution that is independent of any previous cipher blocks and of the messages. 2
Proof of Claim 3: This follows from Lemma 6.18. We simply note that m
1
+ +m
q
= σ. 2
This concludes the proof.
Cryptography: Lecture Notes 111
algorithm c
g
(M)
if ([M[ mod n = 0 or [M[ = 0) then return ⊥
Break M into nbit blocks M[1] M[m]
C[0] ← IV
$
← ¦0, 1¦
n
for i ← 1 to m do
C[i] ← g(C[i −1]⊕M[i])
C ← C[1] C[m]
return 'IV, C`
algorithm T
g
('IV, C`)
return ⊥
Figure 6.9: Version oc[G] = (/, c, T) of the CBC$ scheme parameterized by a family of functions G.
6.8 Security of CBC with a random IV
In this section we show that CBC encryption using a random IV is INDCPA secure as long as E is a block
cipher that is a secure PRF or PRP. Namely we show:
Theorem 6.19 [Security of CBC$ mode] Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher and let oc =
(/, c, T) be the corresponding CBC$ symmetric encryption scheme as described in Scheme 6.6. Let A be an
adversary (for attacking the INDCPA security of oc) that runs in time at most t and asks at most q queries,
these totaling at most σ nbit blocks. Then there exists an adversary B (attacking the PRF security of E) such
that
Adv
indcpa
SL
(A) ≤ Adv
prf
E
(B) +
σ
2
2
n+1
.
Furthermore B runs in time at most t
t
= t +O(q +nσ) and asks at most q
t
= σ oracle queries.
To prove this theorem, we proceed as before to introduce a scheme that takes as a parameter any given family
of functions G having domain and range ¦0, 1¦
n
. The cases of interest are G = E and G = Func(n,n). The
algorithms of the scheme are depicted in Figure 6.9. Note that the decryption algorithm simply returns ⊥, so
that this scheme does not have the correct decryption property. But one can still discuss its security, and it
is important for us to do so. Now, the main result is the informationtheoretic one in which the underlying
function family is Func(n,n).
Lemma 6.20 [Security of CBC$ using a random function] Let A be any INDCPA adversary attacking
oc[Func(n,n)], where the scheme is depicted in Figure 6.9. Then
Adv
indcpa
CBC$[Func(n,n)]
(A) ≤
σ
2
2
n+1
,
assuming A asks a number of queries whose total length is at most σ nbit blocks.
Given this lemma, the proof of Theorem 6.19 follows in the usual way, so our main task is to prove the lemma.
This is postponed for now.
6.9 Indistinguishability under chosenciphertext attack
So far we have considered privacy under chosenplaintext attack. Sometimes we want to consider privacy when
the adversary is capable of mounting a stronger type of attack, namely a chosenciphertext attack. In this type
112 Goldwasser and Bellare
of attack, an adversary has access to a decryption oracle. It can feed this oracle a ciphertext and get back the
corresponding plaintext.
How might such a situation arise? One situation one could imagine is that an adversary at some point gains
temporary access to the equipment performing decryption. It can feed the equipment ciphertexts and see what
plaintexts emerge. (We assume it cannot directly extract the key from the equipment, however.)
If an adversary has access to a decryption oracle, security at ﬁrst seems moot, since after all it can decrypt
anything it wants. To create a meaningful notion of security, we put a restriction on the use of the decryption
oracle. To see what this is, let us look closer at the formalization. As in the case of chosenplaintext attacks,
we consider two worlds:
World 0: The adversary is provided the oracle c
K
(LR(, , 0)) as well as the oracle T
K
().
World 1: The adversary is provided the oracle c
K
(LR(, , 1)) as well as the oracle T
K
().
The adversary’s goal is the same as in the case of chosenplaintext attacks: it wants to ﬁgure out which world
it is in. There is one easy way to do this. Namely, query the lrencryption oracle on two distinct, equal length
messages M
0
, M
1
to get back a ciphertext C, and now call the decryption oracle on C. If the message returned
by the decryption oracle is M
0
then the adversary is in world 0, and if the message returned by the decryption
oracle is M
1
then the adversary is in world 1. The restriction we impose is simply that this call to the decryption
oracle is not allowed. More generally, call a query C to the decryption oracle illegitimate if C was previously
returned by the lrencryption oracle; otherwise a query is legitimate. We insist that only legitimate queries are
allowed. In the formalization below, the experiment simply returns 0 if the adversary makes an illegitimate
query. (We clarify that a query C is legitimate if C is returned by the lrencryption oracle after C was queried
to the decryption oracle.)
This restriction still leaves the adversary with a lot of power. Typically, a successful chosenciphertext attack
proceeds by taking a ciphertext C returned by the lrencryption oracle, modifying it into a related ciphertext C
t
,
and querying the decryption oracle with C
t
. The attacker seeks to create C
t
in such a way that its decryption
tells the attacker what the underlying message M was. We will see this illustrated in Section 6.10 below.
The model we are considering here might seem quite artiﬁcial. If an adversary has access to a decryption oracle,
how can we prevent it from calling the decryption oracle on certain messages? The restriction might arise due
to the adversary’s having access to the decryption equipment for a limited period of time. We imagine that
after it has lost access to the decryption equipment, it sees some ciphertexts, and we are capturing the security
of these ciphertexts in the face of previous access to the decryption oracle. Further motivation for the model
will emerge when we see how encryption schemes are used in protocols. We will see that when an encryption
scheme is used in many authenticated keyexchange protocols the adversary eﬀectively has the ability to mount
chosenciphertext attacks of the type we are discussing. For now let us just provide the deﬁnition and exercise
it.
Deﬁnition 6.21 Let oc = (/, c, T) be a symmetric encryption scheme, let A be an algorithm that has access
to two oracles, and let b be a bit. We consider the following experiment:
Experiment Exp
indccab
SL
(A)
K
$
← /
b
$
← A
L
K
(LR(,,b)) , 1
K
()
If A queried T
K
() on a ciphertext previously returned by c
K
(LR(, , b))
then return 0
else return b
The INDCCA advantage of A is deﬁned as
Adv
indcca
SL
(A) = Pr
Exp
indcca1
SL
(A) = 1
−Pr
Exp
indcca0
SL
(A) = 1
.
Cryptography: Lecture Notes 113
The conventions with regard to resource measures are the same as those used in the case of chosenplaintext
attacks. In particular, the length of a query M
0
, M
1
to the lrencryption oracle is deﬁned as the length of M
0
.
We consider an encryption scheme to be “secure against chosenciphertext attack” if a “reasonable” adversary
cannot obtain “signiﬁcant” advantage in distinguishing the cases b = 0 and b = 1 given access to the oracles,
where reasonable reﬂects its resource usage. The technical notion is called indistinguishability under chosen
ciphertext attack, denoted INDCCA.
6.10 Example chosenciphertext attacks
Chosenciphertext attacks are powerful enough to break all the standard modes of operation, even those like
CTR and CBC that are secure against chosenplaintext attack. The onetime pad scheme is also vulnerable to
a chosenciphertext attack: our notion of perfect security only took into account chosenplaintext attacks. Let
us now illustrate a few chosenciphertext attacks.
6.10.1 Attacks on the CTR schemes
Let F: /¦0, 1¦
n
→ ¦0, 1¦
be a family of functions and let oc = (/, c, T) be the associated CTR$ symmetric
encryption scheme as described in Scheme 6.6. The weakness of the scheme that makes it susceptible to a
chosenciphertext attack is the following. Say 'r, C` is a ciphertext of some bit message M, and we ﬂip bit i
of C, resulting in a new ciphertext 'r, C
t
`. Let M
t
be the message obtained by decrypting the new ciphertext.
Then M
t
equals M with the ith bit ﬂipped. (You should check that you understand why.) Thus, by making a
decryption oracle query of 'r, C
t
` one can learn M
t
and thus M. In the following, we show how this idea can
be applied to break the scheme in our model by ﬁguring out in which world an adversary has been placed.
Proposition 6.22 Let F: / ¦0, 1¦
n
→ ¦0, 1¦
be a family of functions and let oc = (/, c, T) be the
corresponding CTR$ symmetric encryption scheme as described in Scheme 6.6. Then
Adv
indcca
SL
(t, 1, , 1, n +) = 1
for t = O(n +) plus the time for one application of F.
The advantage of this adversary is 1 even though it uses hardly any resources: just one query to each oracle.
That is clearly an indication that the scheme is insecure.
Proof of Proposition 6.22: We will present an adversary algorithm A, having timecomplexity t, making
1 query to its lrencryption oracle, this query being of length , making 1 query to its decryption oracle, this
query being of length n +, and having
Adv
indcca
SL
(A) = 1 .
The Proposition follows.
Remember that the lrencryption oracle c
K
(LR(, , b)) takes input a pair of messages, and returns an encryption
of either the left or the right message in the pair, depending on the value of b. The goal of A is to determine
the value of b. Our adversary works like this:
Adversary A
L
K
(LR(,,b)) , 1
K
()
M
0
← 0
; M
1
← 1
'r, C` ← c
K
(LR(M
0
, M
1
, b))
C
t
← C⊕1
M ← T
K
('r, C
t
`)
If M = M
0
then return 1 else return 0
114 Goldwasser and Bellare
The adversary’s single lrencryption oracle query is the pair of distinct messages M
0
, M
1
, each one block long.
It is returned a ciphertext 'r, C`. It ﬂips the bits of C to get C
t
and then feeds the ciphertext 'r, C` to the
decryption oracle. It bets on world 1 if it gets back M
0
, and otherwise on world 0. Notice that 'r, C
t
` = 'r, C`,
so the decryption query is legitimate. Now, we claim that
Pr
Exp
indcca1
SL
(A) = 1
= 1
Pr
Exp
indcca0
SL
(A) = 1
= 0 .
Hence Adv
indcpa
SL
(A) = 1−0 = 1. And A achieved this advantage by making just one lrencryption oracle query,
whose length, which as per our conventions is just the length of M
0
, is bits, and just one decryption oracle query,
whose length is n + bits (assuming an encoding of 'r, X` as n +[X[bits). So Adv
prcpa
SL
(t, 1, , 1, n +) = 1.
Why are the two equations claimed above true? You have to return to the deﬁnitions of the quantities in
question, as well as the description of the scheme itself, and walk it through. In world 1, meaning b = 1, let
'r, C` denote the ciphertext returned by the lrencryption oracle. Then
C = F
K
(r + 1)⊕M
1
= F
K
(r + 1)⊕1
.
Now notice that
M = T
K
('r, C
t
`)
= F
K
(r + 1)⊕C
t
= F
K
(r + 1)⊕C⊕1
= F
K
(r + 1)⊕(F
K
(r + 1)⊕1
)⊕1
= 0
= M
0
.
Thus, the decryption oracle will return M
0
, and A will return 1. In world 0, meaning b = 0, let 'r, C[1]` denote
the ciphertext returned by the lrencryption oracle. Then
C = F
K
(r + 1)⊕M
0
= F
K
(r + 1)⊕0
.
Now notice that
M = T
K
('r, C
t
`)
= F
K
(r + 1)⊕C
t
= F
K
(r + 1)⊕C⊕1
= F
K
(r + 1)⊕(F
K
(r + 1)⊕0
)⊕1
= 1
= M
1
.
Thus, the decryption oracle will return M
1
, and A will return 0, meaning will return 1 with probability zero.
An attack on CTRC (cf. Scheme 6.7) is similar, and is left to the reader.
6.10.2 Attack on CBC$
Let E: / ¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher and let oc = (/, c, T) be the associated CBC$ symmetric
encryption scheme as described in Scheme 6.4. The weakness of the scheme that makes it susceptible to a
Cryptography: Lecture Notes 115
chosenciphertext attack is the following. Say 'IV, C[1]` is a ciphertext of some nbit message M, and we ﬂip
bit i of the IV, resulting in a new ciphertext 'IV
t
, C[1]`. Let M
t
be the message obtained by decrypting the
new ciphertext. Then M
t
equals M with the ith bit ﬂipped. (You should check that you understand why by
looking at Scheme 6.4.) Thus, by making a decryption oracle query of 'IV
t
, C[1]` one can learn M
t
and thus
M. In the following, we show how this idea can be applied to break the scheme in our model by ﬁguring out in
which world an adversary has been placed.
Proposition 6.23 Let E: /¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher and let oc = (/, c, T) be the corresponding
CBC$ encryption scheme as described in Scheme 6.4. Then
Adv
indcca
SL
(t, 1, n, 1, 2n) = 1
for t = O(n) plus the time for one application of F.
The advantage of this adversary is 1 even though it uses hardly any resources: just one query to each oracle.
That is clearly an indication that the scheme is insecure.
Proof of Proposition 6.23: We will present an adversary A, having timecomplexity t, making 1 query to
its lrencryption oracle, this query being of length n, making 1 query to its decryption oracle, this query being
of length 2n, and having
Adv
indcca
SL
(A) = 1 .
The proposition follows.
Remember that the lrencryption oracle c
K
(LR(, , b)) takes input a pair of messages, and returns an encryption
of either the left or the right message in the pair, depending on the value of b. The goal of A is to determine
the value of b. Our adversary works like this:
Adversary A
L
K
(LR(,,b)) , 1
K
()
M
0
← 0
n
; M
1
← 1
n
'IV, C[1]` ← c
K
(LR(M
0
, M
1
, b))
IV
t
← IV⊕1
n
M ← T
K
('IV
t
, C[1]`)
If M = M
0
then return 1 else return 0
The adversary’s single lrencryption oracle query is the pair of distinct messages M
0
, M
1
, each one block long. It
is returned a ciphertext 'IV, C[1]`. It ﬂips the bits of the IV to get a new IV, IV
t
, and then feeds the ciphertext
'IV
t
, C[1]` to the decryption oracle. It bets on world 1 if it gets back M
0
, and otherwise on world 0. It is
important that 'IV
t
, C[1]` = 'IV, C[1]` so the decryption oracle query is legitimate. Now, we claim that
Pr
Exp
indcca1
SL
(A) = 1
= 1
Pr
Exp
indcca0
SL
(A) = 1
= 0 .
Hence Adv
indcca
SL
(A) = 1 − 0 = 1. And A achieved this advantage by making just one lrencryption oracle
query, whose length, which as per our conventions is just the length of M
0
, is n bits, and just one decryption
oracle query, whose length is 2n bits. So Adv
indcca
SL
(t, 1, n, 1, 2n) = 1.
Why are the two equations claimed above true? You have to return to the deﬁnitions of the quantities in
question, as well as the description of the scheme itself, and walk it through. In world 1, meaning b = 1, the
lrencryption oracle returns 'IV, C[1]` with
C[1] = E
K
(IV⊕M
1
) = E
K
(IV⊕1
n
) .
116 Goldwasser and Bellare
Now notice that
M = T
K
('IV
t
, C[1]`)
= E
−1
K
(C[1])⊕IV
t
= E
−1
K
(E
K
(IV⊕1
n
))⊕IV
t
= (IV⊕1
n
)⊕IV
t
[0]
= (IV⊕1
n
)⊕(IV⊕1
n
)
= 0
n
= M
0
.
Thus, the decryption oracle will return M
0
, and A will return 1. In world 0, meaning b = 0, the lrencryption
oracle returns 'IV, C[1]` with
C[1] = E
K
(IV⊕M
0
) = E
K
(IV⊕0
l
) .
Now notice that
M = T
K
('IV
t
, C[1]`)
= E
−1
K
(C[1])⊕IV
t
= E
−1
K
(E
K
(IV⊕0
n
))⊕IV
t
= (IV⊕0
n
)⊕IV
t
[0]
= (IV⊕0
n
)⊕(IV⊕1
n
)
= 1
n
= M
1
.
Thus, the decryption oracle will return M
1
, and A will return 0, meaning will return 1 with probability zero.
6.11 Other methods for symmetric encryption
6.11.1 Generic encryption with pseudorandom functions
There is a general way to encrypt with pseudorandom functions. Suppose you want to encrypt m bit messages.
(Think of m as large.) Suppose we have a pseudorandom function family F in which each key K speciﬁes a
function F
K
mapping l bits to m bits, for some ﬁxed but quite large value l. Then we can encrypt M via
c
K
(M) = (r, F
K
(r)⊕M) for random r. We decrypt (r, C) by computing M = F
K
(r)⊕C. This is the method of
[97].
Theorem 6.24 [97] Suppose F is a pseudorandom function family with output length m. Then the scheme
(c, T) deﬁne above is a secure private key encryption scheme for mbit messages.
The diﬀerence between this and the CBC and XOR methods is that in the latter, we only needed a PRF
mapping l bits to l bits for some ﬁxed l independent of the message length. One way to get such a PRF is to
use DES or some other block cipher. Thus the CBC and XOR methods result in eﬃcient encryption. To use
the general scheme we have just deﬁned we need to constructing PRFs that map l bits to m bits for large m.
There are several approaches to constructing “large” PRFs, depending on the eﬃciency one wants and what
assumptions one wants to make. We have seen in Chapter 5 that pseudorandom function families can be built
given oneway functions. Thus we could go this way, but it is quite ineﬃcient. Alternatively, we could try to
build these length extending PRFs out of given ﬁxed length PRFs.
Cryptography: Lecture Notes 117
6.11.2 Encryption with pseudorandom bit generators
A pseudorandom bit generator is a deterministic function G which takes a kbit seed and produces a p(k) > k
bit sequence of bits that looks pseudorandom. These object were deﬁned and studied in Chapter 3. Recall the
property they have is that no eﬃcient algorithm can distinguish between a random p(k) bit string and the string
G(K) with random K.
Recall the onetime pad encryption scheme: we just XOR the message bits with the pad bits. The problem is
we run out of pad bits very soon. Pseudorandom bit generators provide probably the most natural way to get
around this. If G is a pseudorandom bit generator and K is the kbit shared key, the parties implicitly share
the long sequence G(K). Now, XOR message bits with the bits of G(K). Never use an output bit of G(K)
more than once. Since we can stretch to any polynomial length, we have enough bits to encrypt.
More precisely, the parties maintain a counter N, initially 0. Let G
i
(K) denote the ith bit of the output of
G(K). Let M be the message to encrypt. Let M
i
be its ith bit, and let n be its length. The sender computes
C
i
= G
N+i
(K)⊕M
i
for i = 1, . . . , n and lets C = C
1
. . . C
n
be the ciphertext. This is transmitted to the
receiver. Now the parties update the counter via N ← N +n. The total number of bits that can be encrypted
is the number p(k) of bits output by the generator. One can show, using the deﬁnition of PRBGs, that this
works:
Theorem 6.25 If G is a secure pseudorandom bit generator then the above is a secure encryption scheme.
One seeming disadvantage of using a PRBG is that the parties must maintain a common, synchronized counter,
since both need to know where they are in the sequence G(K). (Note that the schemes we have discussed above
avoid this. Although some of the schemes above may optionally use a counter instead of a random value, this
counter is not a synchronized one: the sender maintains a counter, but the receiver does not, and doesn’t care
that the sender thinks of counters.) To get around this, we might have the sender send the current counter
value N (in the clear) with each message. If authentication is being used, the value N should be authenticated.
The more major disadvantage is that the pseudorandom sequence G(K) may not have random access. To
produce the ith bit one may have to start from the beginning and produce all bits up to the ith one. (This
means the time to encrypt M depends on the number and length of message encrypted in the past, not a
desirable feature.) Alternatively the sequence G(K) may be precomputed and stored, but this uses a lot of
storage. Whether this drawback exists or not depends of course on the choice of PRBG G.
So how do we get pseudorandom bit generators? We saw some number theoretic constructions in Chapter 3.
These are less eﬃcient than block cipher based methods, but are based on diﬀerent kinds of assumptions which
might be preferable. More importantly, though, these constructions have the drawback that random access is
not possible. Alternatively, one could build pseudorandom bit generators out of ﬁnite PRFs. This can be done
so that random access is possible. However the resulting encryption scheme ends up being not too diﬀerent
from the XOR scheme with a counter so it isn’t clear it is worth a separate discussion.
6.11.3 Encryption with oneway functions
We saw in Chapter 3 that pseudorandom bit generators exist if oneway functions exist [113]. It is also known
that given any secure private key encryption scheme one can construct a oneway function [114]. Thus we have
the following.
Theorem 6.26 There exists a secure private key encryption scheme if and only if there exists a oneway
function.
We will see later that the existence of secure public key encryption schemes requires diﬀerent kinds of assump
tions, namely the existence of primitives with “trapdoors.”
118 Goldwasser and Bellare
6.12 Historical notes
The pioneering work on the theory of encryption is that of Goldwasser and Micali [102], with reﬁnements by
[148, 96]. This body of work is however in the asymmetric (i.e., public key) setting, and uses the asymptotic
framework of polynomialtime adversaries and negligible success probabilities. The treatment of symmetric
encryption we are using is from [20]. In particular Deﬁnition 6.1 and the concrete security framework are from
[20]. The analysis of the CTR and CBC mode encryption schemes, as given in Theorems 6.13, 6.14 and 6.19 is
also from [20]. The approach taken to the analysis of CBC mode is from [23].
6.13 Problems
Problem 6.27 Formalize a notion of security against keyrecovery for symmetric encryption schemes, and
prove an analog of Proposition 6.12.
Problem 6.28 The CBCChain mode of operation is a CBC variant in which the IV that is used for the very
ﬁrst message to be encrypted is random, while the IV used for each subsequent encrypted message is the last
block of ciphertext that was generated. The scheme is probabilistic and stateful. Show that CBCChain is
insecure by giving a simple and eﬃcient adversary that breaks it in the INDCPA sense.
Problem 6.29 Using the proof of Theorem 6.13 as a template, prove Theorem 6.14 assuming Lemma 6.17.
Problem 6.30 Devise a secure extension to CBC$ mode that allows messages of any bit length to be encrypted.
Clearly state your encryption and decryption algorithm. Your algorithm should be simple, should “look like”
CBC mode as much as possible, and it should coincide with CBC mode when the message being encrypted is a
multiple of the blocklength. How would you prove your algorithm secure?
C h a p t e r 7
Publickey encryption
The idea of a publickey cryptosystem (PKC) was proposed by Diﬃe and Hellman in their pioneering paper [72]
in 1976. Their revolutionary idea was to enable secure message exchange between sender and receiver without
ever having to meet in advance to agree on a common secret key. They proposed the concept of a trapdoor
function and how it can be used to achieve a publickey cryptosystem. Shortly there after Rivest, Shamir and
Adelman proposed the ﬁrst candidate trapdoor function, the RSA. The story of modern cryptography followed.
The setup for a publickey cryptosystem is of a network of users u
1
u
n
rather than an single pair of users.
Each user u in the network has a pair of keys < P
u
, S
u
> associated with him, the public key P
u
which is
published under the users name in a “public directory” accessible for everyone to read, and the privatekey S
u
which is known only to u. The pairs of keys are generated by running a keygeneration algorithm. To send
a secret message m to u everyone in the network uses the same exact method, which involves looking up P
u
,
computing E(P
u
, m) where E is a public encryption algorithm, and sending the resulting ciphertext c to u.
Upon receiving ciphertext c, user u can decrypt by looking up his private key S
u
and computing D(S
u
, c) where
D is a public decryption algorithm. Clearly, for this to work we need that D(S
u
, E(P
u
, m)) = m.
A particular PKC is thus deﬁned by a triplet of public algorithms (G, E, D), the key generation, encryption,
and decryption algorithms.
7.1 Deﬁnition of PublicKey Encryption
We now formally deﬁne a publickey encryption scheme. For now the deﬁnition will say nothing about we mean
by “security” of a scheme (which is the subject of much discussion in subsequent sections).
Deﬁnition 7.1 A publickey encryption scheme is a triple, (G, E, D), of probabilistic polynomialtime algo
rithms satisfying the following conditions
(1) key generation algorithm : a probabilistic expected polynomialtime algorithm G, which, on input 1
k
(the
security parameter) produces a pair (e, d) where e is called the public key , and d is the corresponding
private key. (Notation: (e, d) ∈ G(1
k
)). We will also refer to the pair (e, d) a pair of encryption/decryption
keys.
(2) An encryption algorithm: a probabilistic polynomial time algorithm E which takes as input a security
parameter 1
k
, a publickey e from the range of G(1
k
) and string m ∈ ¦0, 1¦
k
called the message, and
produces as output string c ∈ ¦0, 1¦
∗
called the ciphertext. (We use the notation c ∈ E(1
k
, e, m) to denote
c being an encryption of message m using key e with security parameter k. When clear, we use shorthand
c ∈ E
e
(m), or c ∈ E(m). )
119
120 Goldwasser and Bellare
(3) A decryption algorithm: a probabilistic polynomial time algorithm D that takes as inputs a security
parameter 1
k
, a privatekey d from the range of G(1
k
), and a ciphertext c from the range of E(1
k
, e, m),
and produces as output a string m
t
∈ ¦0, 1¦
∗
, such that for every pair (e, d) in the range of G(1
k
), for every
m, for every c ∈ D(1
k
, e, m), the prob(D(1
k
, d, c) = m
t
) is negligible.
(4) Furthermore, this system is “secure” (see Deﬁnition 7.3).
How to use this deﬁnition. To use a publickey encryption scheme (G, E, D) with security parameter 1
k
,
user A runs G(1
k
) to obtain a pair (e, d) of encryption/decryption keys. User A then ”publishes” e in a public
ﬁle, and keeps private d. If anyone wants to send A a message, then need to lookup e and compute E(1
k
, e, m).
Upon receipt of c ∈ E(1
k
, e, m), A computes message m = D(1
k
, d, c).
Comments on the Deﬁnitions
Comment 0: Note that essentially there is no diﬀerence between the deﬁnition of a privatekey encryption
scheme and the deﬁnition of a publickey encryption scheme at this point. We could have deﬁned a private key
encryption scheme to have one key e for encryption and a diﬀerent key d for decryption. The diﬀerence between
the two deﬁnitions comes up in the security deﬁnition. In a publickey encryption scheme the adversary or
”breaking algorithm” is given e (the public key) as an additional input; whereas in privatekey scheme e is not
given to the adversary (thus without loss of generality one may assume that e = d).
Comment 1: At this stage, encryption using a key of length k is deﬁned only for messages of length k;
generalization is postponed to Convention 7.1.
Comment 2: Note that as algorithm G is polynomial time, the length of its output (e, d) (or e in the private
key encryption case) is bounded by a polynomial in k. On the other hand, since k also serves as the “security
parameter”, k must be polynomial in [d[ (or [e[ in the privatekey encryption case) in which case “polynomial
in k” is equivalent to “polynomial in [d[”.
Comment 3: Condition (3) in Deﬁnition 7.7 and 7.1 may be relaxed so that inequality may occur with
negligible probability. For simplicity, we chose to adopt here the more conservative requirement.
Comment 4: We have allowed the encryption algorithm in both of the above deﬁnitions to be probabilistic.
Namely, there can be many cyphertexts corresponding to the same message. In the simple (informal) example
of a publickey encryption scheme based on a trapdoor function outlined in the introduction, every message has
a unique corresponding ciphertext. That is too restrictive as, for example, if E is deterministic, the same inputs
would always produce the same outputs, an undesirable characteristic.
Comment 5: We allowed D to be a probabilistic algorithms. This may conceivably allow the consideration
of encryption schemes which may oﬀer higher security ([50]). Accordingly, we may relax the requirement that
∀m, D(E(m)) = m to hold only with high probability.
Conventions Regarding Deﬁnitions
Messages of length not equal to k (the length of the encryption key) are encrypted by breaking them into blocks
of length k and possibly padding the last block. We extend the notation so that
E
e
(α
1
α
l
α
l+1
) = E
e
(α
1
) E
e
(α
l
) E
e
(α
l+1
p)
where [α
1
[ = = [α
l
[ = k, [α
l+1
[ ≤k, and p is some standard padding of length k −[α
l+1
[.
The above convention may be interpreted in two ways. First, it waves the extremely restricting convention by
which the encryption scheme can be used only to encrypt messages of length equal to the length of the key.
Second, it allows to reduce the security of encrypting many messages using the same key to the security of
encrypting a single message.
Cryptography: Lecture Notes 121
The next convention regarding encryption schemes introduces a breach of security: namely, the length of the
cleartext is always revealed by encryption schemes which follow this convention. However, as we show in a latter
section some information about the length of the cleartext must be leaked by any encryption scheme.
The encryption algorithm maps messages of the same length to cryptograms of the same length.
7.2 Simple Examples of PKC: The Trapdoor Function Model
A collection of trapdoor functions, discussed at length in the chapter on oneway functions and trapdoor
functions, has been deﬁned as F = ¦f
i
: D
i
→ D
i
¦
i∈I
where D
i
⊆ ¦0, 1¦
]i]
, and I is a set of indices. Recall that
∀i, f
i
was easy to compute, but hard to invert; and ∀i, there existed t
i
such that given t
i
and f
i
(x), f
i
(x) could
be inverted in polynomial time.
Diﬃe and Hellman suggested using the supposed existence of trapdoor functions to implement Public Key
Cryptosystems as follows.
(1) The generator G on security parameter 1
k
outputs pairs (f, t
f
) where f is a trapdoor function and t
f
its
associated trapdoor information.
(2) For every message m ∈ M, E(f, m) = f(m).
(3) Given c ∈ E(f, m) and t
f
, D(t
f
, c) = f
−1
(c) = f
−1
(f(m)) = m.
7.2.1 Problems with the Trapdoor Function Model
There are several immediate problems which come up in using the trapdoor function model for public key
encryption.
We summarize brieﬂy the main problems which will be elaborated on in the next few sections.
(1) Special Message Spaces. The fact that f is a trapdoor function doesn’t imply that inverting f(x) when x
is special is hard. Namely, suppose that the set of messages that we would like to send is drawn from a
highly structured message space such as the English language, or more simply M = ¦0, 1¦, it may be easy
to invert f(m). In fact, it is always easy to distinguish between f(0) and f(1)).
(2) Partial Information. The fact that f is a oneway or trapdoor function doesn’t necessarily imply that
f(x) hide all information about x. Even a bit of leakage many be too much for some applications. For
example, for candidate oneway function f(p, g, x) = g
x
mod p where p is prime and g is a generator, the
least signiﬁcant bit of x is always easily computable from f(x). For RSA function f(n, l, x) = x
l
mod n, the
Jacobi symbol J
n
(x) = J
n
(x
l
mod n). Namely, the Jacobi symbol of x is easy to compute from f(n, l, x) –
this was observed by Lipton[135] who used this fast to crack a protocol for Mental poker by Shamir Rivest
and Adleman[191]. See below. Moreover, In fact, for any oneway function f, information such as “the
parity of f(m)” about m is always easy to compute from f(m). See below.
(3) Relationship between Encrypted Messages Clearly, we may be sending messages which are related to each
other in the course of a communication. Some examples are: sending the same secret message to several
recipients, or sending the same message (or slight variants) many times. It is thus desirable and some
times essential that such dependencies remain secret. In the trapdoor function model, it is trivial to see
that sending the same message twice is always detectable. More serious problems were noted by several
researchers, most notably by H˚astad who shows [110] that if RSA with an exponent l is used, and the same
message (or known linear combinations of the same message) is send to l recipients, then the message can
be computed by an adversary.
7.2.2 Problems with Deterministic Encryption in General
The above problems are actually shared by any publickey cryptosystem in which the encryption algorithm is
deterministic.
122 Goldwasser and Bellare
It is obvious for problems 1 and 3 above. It is easy to show also for problem 3 as follows. Let E is any deter
ministic encryption algorithm, we can extract partial information by using something similar to the following
predicate:
P(x) =
1 if E(x) even
0 if E(x) odd
It is clear that we can easily compute this predicate since all we have to do is take the low bit of E(x). Unless
E(x) is always even or always odd for all the x’s in the message space, we have obtained partial information
about x. If E(x) is always even or odd, the low bit of E(x) contains no information. But, some other bit of E(x)
must contain some information otherwise the message space is composed of only one message in which case we
have total information. Then, simply use that bit instead of the lowest bit and we have a partial information
obtaining predicate.
7.2.3 The RSA Cryptosystem
In 1977 Shamir, Rivest and Adelman proposed the ﬁrst implementation of trapdoor function, the RSA function,
[176]. We refer the reader to chapter 2, in particular sections 2.2.5 and Section 2.17 for a thorough treatment
of the RSA trapdoor function.
Here, let us examine the use of the RSA trapdoor function for the purpose of encryption in the straight forward
manner proposed by Diﬃe and Hellman. We will show that it will not satisfy the kind of security which we
desire. We will later see that a probabilistic variant will do the job.
Recall the deﬁnition of RSA trapdoor function 2.17. Let p, q denote primes, n = pq, Z
∗
n
= ¦1 ≤ x ≤ n, (x, n) = 1¦
the multiplicative group whose cardinality is ϕ(n) = (p −1)(q −1), and e ∈ Z
p−1
relatively prime to ϕ(n). Our
set of indices will be I = ¦< n, e > such that n = pq [p[ = [q[¦ and the trapdoor associated with the particular
index < n, e > be t
<n,e>
= d such that ed = 1 mod φ(n). Let RSA = ¦RSA
<n,e>
: Z
∗
n
→ Z
∗
n
¦
<n,e>∈I
where
RSA
<n,e>
(x) = x
e
mod n
Sparse Message Spaces
We showed that the RSA function has some nice properties that seem especially good for use as a PKC. For
example, we showed for a given pair < n, e >, it is either hard to invert RSA
<n,e>
for all but a negligible
fraction of x’s in Z
∗
n
, or easy to invert RSA
<n,e>
(x) ∀x, x ∈ Z
∗
. Does this mean that the RSA cryptosystem
is diﬃcult to break for almost all messages if factoring integers is hard? The answer is negative.
Suppose that the message space M we are interested in is the English language. Then, let M
k
= ¦0, 1¦
k
where
m ∈ M
k
is an English sentence. Compared to the entire space, the set of English sentences is quite small. For
example,
]M
k
]
]Z
∗
n
]
≤
1
2
√
n
. Thus it is possible that f
n,e
(x) is easy to invert for all x ∈ M
k
, even if the factorization
problem is hard. In other words, English sentences are highly structured; it might well be the case that our
function can be easily inverted on all such inputs. Clearly, we would ultimately like our encryption schemes to
be secure for all types of message spaces, including English text.
Partial Information about RSA
What partial information about x can be computed from RSA
<n,e>
(x).
We showed in the chapter on oneway and trapdoor functions, that indeed some bits such as the least signiﬁcant
bit and most signiﬁcant bit of RSA are very well hidden. This is the good news.
Unfortunately, in some cases very subtle leakage of partial information can defeat the whole purpose of encryp
tion. We present a “cute” example of this shown by Lipton shortly after RSA was invented.
An Example: Mental Poker (SRA ’76): Mental Poker is a protocol by which two parties each of whom
distrusts the other can deal each other cards from a deck without either being able to cheat. The protocol for
A to deal B a card goes like this:
Cryptography: Lecture Notes 123
(1) A and B agree on a set X = ¦x
1
, . . . , x
52
¦, x
i
∈ Z
∗
n
, of random numbers where n = pq, p and q prime and
known to both A and B. These numbers represent the deck of cards, x
i
representing the ith card in the
deck.
(2) A picks s such that (s, ϕ(n)) = 1, and t such that st ≡ 1 (mod ϕ(n)) secretly. B does the same for e and
f. (I.e., ef ≡ 1 (mod ϕ(n)))
(3) A calculates x
s
i
mod n for i = 1 . . . 52, shuﬄes the numbers, and sends them to B.
(4) B calculates (x
s
i
mod n)
e
mod n for i = 1 . . . 52, shuﬄes the numbers, and sends them to A.
(5) A calculates ((x
s
i
mod n)
e
mod n)
t
mod n = x
e
i
mod n for i = 1 . . . 52. A then chooses a card randomly
(I.e., picks x
e
j
where j ∈ [1 . . . 52]) and sends it to B.
(6) B then takes (x
e
j
mod n)
d
mod n = x
j
mod n. This is the card B has been dealt.
Why it works: Note that so long as no partial information can be obtained from the RSA trapdoor function,
neither A nor B can inﬂuence in any way the probably of B getting any given card. A is unable to give B bad
cards and likewise B can not deal himself good cards. This follows from the fact that encrypting the cards is
analogous to placing each of them in boxes locked with padlocks. So long as a card is locked in a box with a
padlock of the other player’s on it, nothing can be told about it and it is indistinguishable from the other locked
boxes.
When B gets the deck in step 3, he has no idea which card is which and thus is unable to inﬂuence which card
he is dealt. However, A can still tell them apart since its A’s padlocks that are on the boxes. To prevent A from
being able to inﬂuence the cards, B then puts his own locks on the boxes as well and shuﬄes the deck. Now
A also can not tell the cards apart so when he is forced to make his choice, he is forced to just deal a random
card. Thus, the two players in spite of distrusting each other can play poker.
How to extract partial information from the RSA function: The protocol fails, however, because it is
possible to extract partial information from the RSA function and thus determine to some degree of accuracy
which cards are which and hence inﬂuence the outcome of the draw. One way to do this is by computing the
Jacobi symbol since (J
n
(x
i
)) = (J
n
(x
s
i
)) since s is odd. Thus, since half of the x
i
’s have a Jacobi symbol of 1
on the average since they are random numbers in Z
∗
n
, we can extract roughly one bit of information from each
of the cards. In order to inﬂuence the draw in our favor, we simply determine whether or not the cards with a
Jacobi symbol of 1 or the cards with a Jacobi symbol of 1 are better for us and then draw only from that set
of cards.
One’s immediate reaction to this, of course, is simply to modify the protocol so that in step 1 only numbers
with say a Jacobi symbol of 1 are chosen. Then no information will be gained by computing the Jacobi symbol.
However, this is no guarantee that some other more clever predicate does not exist which can still extract partial
information and indeed such functions must exist by the very nature of trapdoor functions.
Low exponent attacks
Let the exponent be e = 3. We saw that any exponent relatively prime to ϕ(N) is OK, and we can easily choose
N = pq so that 3 is relatively prime to (p −1)(q −1) = ϕ(N). This is a popular choice for performance reasons.
Encryption is now fast. And we saw that RSA is still (assumed) oneway under this choice.
So encryption of m is now m
3
mod N. Here is an interesting attack illustrating the weaknesses of RSA encryp
tion, due to Coppersmith, Franklin, Patarin and Reiter [62]. Suppose I encrypt m and then m+1. I claim you
can recover m. We have ciphertexts:
c
1
= m
3
c
2
= (m+ 1)
3
= m
3
+ 3m+ 3m
2
+ 1 = c
1
+ 3m+ 3m
2
+ 1
Now lets try to solve for m. Perhaps the ﬁrst thought that springs to mind is that we have a quadratic equation
for m. But taking square roots is hard, so we don’t know how to solve it that way. It turns out the following
124 Goldwasser and Bellare
works:
c
2
+ 2c
1
−1
c
2
−c
1
+ 2
=
(m+ 1)
3
+ 2m
3
−1
(m+ 1)
3
−m
3
+ 2
=
3m
3
+ 3m
2
+ 3m
3m
2
+ 3m+ 3
= m .
This can be generalized. First, you can generalize to messages m and αm+β for known α, β. Second, it works
for exponents greater than 3. The attack then runs in time O(e
2
) so it is feasible for small exponents. Finally,
it can work for k messages related by a higher degree polynomial.
These are the kinds of attacks we most deﬁnitely would like to avoid.
7.2.4 Rabin’s Public key Cryptosystem
Recall Rabin’s trapdoor function from Chapter 2.
f
n
(m) ≡ m
2
mod n
where n is the product of two large primes, p and q. Once again, this function can yield another example of
a trapdoor/public key cryptosystem except that f
n
is not as permutation but a 4to1 function. An inverse of
f
n
(m):
f
−1
n
(m
2
) = x such that x
2
= m
2
mod n
However, in practice, when we invert Rabin’s function, we do not simply want any square root of the encrypted
message, but the correct one of the four that was meant to be sent by the sender and would be meaningful to
the intended recipient. So, we need to add a constraint to uniquely identify the root x which must be output by
the decryption algorithm on f
n
(m
2
) such as ﬁnd x such that x
2
= m
2
mod n, and x ∈ S where S is a property
for which it is quite unlikely that there exists two roots m, x ∈ S. What could S be? Well if the message space
M is sparse in Z
∗
n
(which would usually be the case), then S may be simply M. In such case it is unlikely that
there exists m = m
t
∈ M such that m
t2
= m
2
mod n. (If M is not sparse, S may be the all x whose last 20
digits are r for some random r. Then to send m in secrecy, (f
n
(m
t
) = f
n
(2
20
m+r), r) need be sent.)
Recall, that earlier in the class, we had shown that inverting Rabin’s function is as hard as factoring. Namely,
we had shown that inverting Rabin’s function for of the m
2
∈ Z
∗
n
’s implies the ability to factor. The proof
went as follows:
• Suppose there existed a black box that on inputs x
2
responded with a y such that x
2
= y
2
mod n. Then,
to factor n, choose an i at random from Z
∗
n
and give as input i
2
mod n to the black box. If the box
responds with a y, such that y = ±i, then we can indeed factor n by computing gcd(i ±y, n). In the case
that y = ±i, we have gained no information, so repeat.
If we think of this black box as a decoding algorithm for the public key system based on Rabin’s function used
to encrypt messages in message space M, can we conclude that if it is possible to decrypt the public key system
f
n
(m) for m ∈ M, then it is possible to factor n?
If the message space M is sparse, then the answer is no. Why? for the black box (above) to be of any use we
need to feed it with an f
n
(i) for which there exists an y such that y ∈ M and y = i. The probability that such
y exists is about
]M]
]Z
∗
n
]
, which may be exponentially small.
If the message space M is not sparse, we run into another problem. Rabin’s scheme would not be secure in the
presence of an active adversary who is capable of a chosen ciphertext attack. This is easy to see again using the
above proof that inverting Rabin’s function is as hard as factoring. Temporary access to a decoding algorithm
for Rabin’s public key encryption for message in M, is the same as having access to the black box of the above
proof. The adversary chooses i at random and feeds the decoding algorithm with f
n
(i). If the adversary gets
back y such that y
2
= i
2
mod n, (again, i = ±y), factor n, and obtain the secret key. If M is not sparse this
will be the case after trying a polynomial number of i’s. From here on, the adversary would be able to decrypt
any ciphertext with the aid of the secret key and without the need for a black box.
Therefore, either Rabin’s scheme is not equivalent to factoring, which is the case when inverting on a sparse
message space, or (when M is not sparse) it is insecure before a chosen ciphertext adversary.
Cryptography: Lecture Notes 125
7.2.5 Knapsacks
A number of publickey cryptosystems have been proposed which are based on the knapsack (or — more properly
— the subset sum) problem: given a vector a = (a
1
, a
2
, . . . , a
n
) of integers, and a target value C, to determine
if there is a lengthn vector x of zeroes and ones such that a x = C. This problem is NPcomplete [91].
To use the knapsack problem as the basis for a publickey cryptosystem, you create a public key by creating a
knapsack vector a, and publish that as your public key. Someone else can send you the encryption of a message
M (where M is a lengthn bit vector), by sending you the value of the inner product C = M a. Clearly, to
decrypt this ciphertext is an instance of the knapsack problem. To make this problem easy for you, you need
to build in hidden structure (that is, a trapdoor) into the knapsack so that the encryption operation becomes
onetoone and so that you can decrypt a received ciphertext easily. It seems, however, that the problem of
solving knapsacks containing a trapdoor is not NPcomplete, so that the diﬃculty of breaking such a knapsack
is no longer related to the P = NP question.
In fact, history has not been kind to knapsack schemes; most of them have been broken by extremely clever
analysis and the use of the powerful L
3
algorithm [132] for working in lattices. See [143, 186, 188, 2, 190, 128,
48, 157].
Some knapsack or knapsacklike schemes are still unbroken. The ChorRivest scheme [60], and the multiplicative
versions of the knapsack [143] are examples. McEliece has a knapsacklike publickey cryptosystem based on
errorcorrecting codes [142]. This scheme has not been broken, and was the ﬁrst scheme to use randomization
in the encryption process.
We are now ready to introduce what is required from a secure Public Key Cryptosystem.
7.3 Deﬁning Security
Brain storming about what it means to be secure brings immediately to mind several desirable properties. Let
us start with the the minimal requirement and build up.
First and foremost the private key should not be recoverable from seeing the public key. Secondly, with high
probability for any message space, messages should not be entirely recovered from seeing their encrypted form
and the public ﬁle. Thirdly, we may want that in fact no useful information can be computed about messages
from their encrypted form. Fourthly, we do not want the adversary to be able to compute any useful facts about
traﬃc of messages, such as recognize that two messages of identical content were sent, nor would we want her
probability of successfully deciphering a message to increase if the time of delivery or relationship to previous
encrypted messages were made known to her.
In short, it would be desirable for the encryption scheme to be the mathematical analogy of opaque envelopes
containing a piece of paper on which the message is written. The envelopes should be such that all legal senders
can ﬁll it, but only the legal recipient can open it.
We must answer a few questions:
• How can “opaque envelopes” be captured in a precise mathematical deﬁnition?
• Are “opaque envelopes” achievable mathematically?
Several deﬁnitions of security attempting to capture the “opaque envelope” analogy have been proposed. All
deﬁnitions proposed so far have been shown to be equivalent. We describe two of them and show they are
equivalent.
7.3.1 Deﬁnition of Security: Polynomial Indistinguishability
Informally, we say that an encryption scheme is polynomial time indistinguishable if no adversary can ﬁnd even
two messages, whose encryptions he can distinguish between. If we recall the envelope analogy, this translates
126 Goldwasser and Bellare
to saying says that we cannot tell two envelopes apart.
Deﬁnition 7.2 We say that a Public Key Cryptosystem (G, E, D) is polynomial time indistinguishable if for
every PPT M, A, and for every polynomial Q, ∀ suﬃciently large k
Pr(A(1
k
, e, m
0
, m
1
, c) = m [ (e, d)
$
← G(1
k
) ; ¦m
0
, m
1
¦
$
← M(1
k
) ; m
$
← ¦m
0
, m
1
¦ ; c
$
← E(e, m))
<
1
2
+
1
Q(k)
(7.1)
In other words, it is impossible in polynomial in k time to ﬁnd two messages m
0
, m
1
such that a polynomial
time algorithm can distinguish between c ∈ E(e, m
0
) and c ∈ E(e, m
1
).
Remarks about the deﬁnition:
(1) We remark that a stronger form of security would be: the above holding ∀m
0
, m
1
, (not only those which
can be found in polynomial time by running M(1
k
)). Such security can be shown in a nonuniform model,
or when the messages are chosen before the keys, and thus can not involve any information about the secret
keys themselves.
(2) In the case of privatekey encryption scheme, the deﬁnition changes ever so slightly. The encryption key e
is not given to algorithm A.
(3) Note that any encryption scheme in which the encryption algorithm E is deterministic immediately fails to
pass this security requirement. (e.g given f, m
0
, m
1
and c ∈ ¦f(m
1
), f(m
0
)¦ it is trivial to decide whether
c = f(m
0
) or c = f(m
1
).
(4) Note that even if the adversary know that the messages being encrypted is one of two, he still cannot tell
the distributions of ciphertext of one message apart from the other.
7.3.2 Another Deﬁnition: Semantic Security
Consider the following two games. Let h : M → ¦0, 1¦
∗
, where M is a message space in which we can sample
in polynomial time, or equivalently, a probabilistic polynomial time algorithm M that takes as input 1
k
and
generates a message m ∈ ¦0, 1¦
k
, and h(m) is some information about the message (for example, let be such
that h(m) = 1 if m has the letter ’e’ in it, then V = ¦0, 1¦).
• Game 1: I tell the adversary that I am about to choose m ∈ M(1
k
) and, ask her to guess h(m).
• Game 2: I tell the adversary α ∈ E(m), for some m ∈ M(1
k
) and once again, ask her to guess h(m).
In both of the above cases we may assume that the adversary knows the message space algorithm M and the
public key P.
In the ﬁrst game, the adversary only knows that a message m is about to be chosen. In addition to this fact, the
adversary of the Game 2 sees the actual ciphertext itself. For all types of message spaces, semantic security will
essentially require that the probability of the adversary winning Game 1 to be about the same as her probability
of winning Game 2. Namely, that the adversary should not gain any advantage or information from having seen
the ciphertext resulting from our encryption algorithm.
Said diﬀerently, this deﬁnition will require that for all probability distributions over the message space, no
partial information about the message can be computed from the ciphertext. This requirement is reminiscent
of Shannon’s perfect security deﬁnition – with respect to a computationally bounded adversary.
Deﬁnition 7.3 We say that an encryption scheme (G, E, D) is semantically secure if for all PPT algorithms
M and A, functions h, polynomials Q there is a PPT B such that for suﬃciently large k,
Pr(A(1
k
, c, e) = h(m) [ (e, d)
$
← G(1
k
) ; m
$
← M(1
k
) ; c
$
← E(e, m))
Cryptography: Lecture Notes 127
≤ Pr(B(1
k
) = h(m) [ m
$
← M(1
k
)) +
1
Q(k)
(7.2)
Here, Game 1 is represented by PTM B, and Game 2 by PTM A. Again, this can only hold true when the
encryption algorithm is a probabilistic one which selects one of many possible encodings for a message; otherwise,
if E were deterministic, and M = ¦0, 1¦, then any adversary would have 100% chance of guessing correctly h(m)
for m ∈ M by simply testing whether E(0) = c or E(1) = c.
Theorem 7.4 A Public Key Cryptosystem passes Indistinguishable Security if and only if it passes Semantic
Security.
7.4 Probabilistic Public Key Encryption
We turn now to showing how to actually build a public key encryption scheme which is polynomial time
indistinguishable.
In order to do so, we must abandon the trapdoor function PKC model and deterministic algorithms of encryption
all together, in favor of probabilistic encryption algorithm. The probabilistic encryption algorithm which we
will construct will still assume the existence of trapdoor functions and use them as a primitive building block.
The key to the construction is to ﬁrst answer a simpler problem: How to securely encrypt single bits. We show
two ways to approach this problem. The ﬁrst is based on trapdoor predicates as discussed in Section 2.5, and
the second is based on hard core predicates as discussed in Section 2.4.
7.4.1 Encrypting Single Bits: Trapdoor Predicates
To encrypt single bits, the notion of oneway and trapdoor predicates was introduced by [102]. It later turned
out to be also quite useful for protocol design. We refer the reader to section 2.5 for a general treatment of this
subject. Here we look at its use for encryption.
The Idea: Brieﬂy, a oneway predicate, is a Boolean function which is hard to compute in a very strong
sense. Namely, an adversary cannot compute the predicate value better than by taking a random guess. Yet,
it is possible to sample the domain of the predicate for elements for which the predicate evaluates to 0 and to
1. A trapdoor predicate possesses the extra feature that there exists some trapdoor information that enables
the computation of the predicate. We can construct examples of collection of trapdoor predicates based on
the intractability of factoring, RSA inversion and the diﬃculty of distinguishing quadratic residues from non
residues.
Now, given a collection of trapdoor predicates exist, we use them to set up a cryptosystem for one bit encryption
as follows. Every user A chooses and publishes a random trapdoor predicate, keeping secret the corresponding
trapdoor information. To send A a one bit message m, any other user chooses at random an element in
the domain of the trapdoor predicate for which the predicate evaluates to m. To decrypt, A uses his trapdoor
information to compute the value of predicate on the domain element it receives. Note, that this is a probabilistic
encryption with many possible cyphertexts for 0 as well as 1, where essentially an adversary cannot distinguish
between an encoding of 0 and an encoding of 1.
Recall, the formal deﬁnition of trapdoor predicates 2.59.
Let I be a set of indices and for i ∈ I let D
i
be ﬁnite. A collection of trapdoor predicates is a set B = ¦B
i
:
D
i
→ ¦0, 1¦¦
i∈I
satisfying the following conditions. Let D
v
i
= ¦x ∈ D
i
, B
i
(x) = v.
1. There exists a polynomial p and a PTM S
1
which on input 1
k
ﬁnds pairs (i, t
i
) where i ∈ I ∩ ¦0, 1¦
k
and
[t
i
[ < p(k) The information t
i
is referred to as the trapdoor of i.
2. There exists a PTM S
2
which on input i ∈ I and v ∈ ¦0, 1¦ outputs x ∈ D
i
at random such that B
i
(x) = v.
128 Goldwasser and Bellare
3. There exists a PTM A
1
such that for i ∈ I and trapdoor t
i
, x ∈ D
i
A
1
(i, t
i
, x) = B
i
(x).
4. For every PPT A there exists a negligible ν
A
such that ∀ k large enough
Pr
z = v : i
$
← I ∩ ¦0, 1¦
k
; v
$
← ¦0, 1¦ ; x
$
← D
v
i
; z ← A(i, x)
≤ ν
A
(k)
Deﬁnition 7.5 Assume that B is a collection of trapdoor predicates. We can now deﬁne a public key cryp
tosystem (G, E, D)
B
for sending single bit messages as follows:
• Key generation algorithm: G(1
k
) chooses (i, t
i
) (public key is then i and private key is t
i
). This is doable
by running algorithm S
1
.
• Encryption algorithm: Let m ∈ ¦0, 1¦ be the message. Encryption algorithm E(i, e) selects x ∈ D
m
i
.
(The ciphertext is thus x). This is doable by running algorithm S
2
.
• Decryption algorithm: D(c, t
i
) computes B
i
(c). This is doable using A
1
given the trapdoor information.
It is clear from the deﬁnition of a set of trapdoor predicates, that all of the above operations can be done in
expected polynomial time and that messages can indeed be sent this way. It follows immediately from the
deﬁnition of trapdoor predicates than indeed this system is polynomially indistinguishable when restricted to
one bit message spaces.
7.4.2 Encrypting Single Bits: Hard Core Predicates
Alternatively, you may take the following perhaps simpler approach, starting directly with trapdoor functions
and using their hard core predicates. For a detailed discussion of trapdoor functions and hard core predicates
for them see section Section 2.59. The discussion here assumes such knowledge.
Recall that a collection of trapdoor permutations is a set F = ¦f
i
: D
i
−→ D
i
¦
i∈I
such that:
1. S
1
(1
k
) samples (i, t
i
) where i ∈ I, [i[ = k and [t
i
[ < p(k) for some polynomial p.
2. S
2
(i) samples x ∈ D
i
.
3. ∃ PTM A
1
such that A
1
(i, x) = f
i
(x).
4. Pr[A(i, f
i
(x)) ∈ f
−1
i
(f
i
(x))] <
1
Q(k)
∀ PTM A, ∀Q, ∀k > k
0
.
5. ∃ PTM A
2
such that A
2
(i, t
i
, f
i
(x)) = x, ∀x ∈ D
i
, i ∈ I.
Further, let B
i
(x) be hard core for f
i
(x). Recall that the existence of F implies the existence of F/ that has a
hard core predicate. So, for notational simplicity assume that F = F/. Also recall that for the RSA collection
of trapdoor functions, LSB is a collection of hard core predicate the LSB.
Deﬁnition 7.6 Given a collection F with hard core predicates B, deﬁne public key cryptosystem (G, E, D)
B
for sending a single bit as follows:
• Key generation algorithm: G(1
k
) chooses pair < i, t
i
> by running S
1
(1
k
). (for RSA, G(1
k
) chooses
< n, e >, d such that n is an RSA modulus, and ed = 1 mod φ(n).)
• Encryption algorithm: E(i, m) chooses at random an x ∈ D
i
such that B
i
(x) = m, and output as a
ciphertext f
i
(x). Using the Goldreich Levin construction of a hard core predicate, simply choose x, r such
that the inner product of x and r is m and output f(x) ◦ r. (for RSA, to encrypt bit m, choose at random
an x ∈ Z
∗
n
such that LSB
<n,e>
(x) = m and output as a ciphertext RSA
<n,e>
(x).)
Cryptography: Lecture Notes 129
• Decryption algorithm: To decrypt c = f
i
(x), given i and t
i
, the decryption algorithm D(t
i
, c) compute
B
i
(f
−1
i
(c)) = B
i
(x) = m. Using the Goldreich Levin construction this amounts to given c = f
i
(x) ◦ r
to computing the inner product of x and r. (for RSA, to decrypt c, given n, e and d, compute the
LSB((RSA
<n,e>
(x))
d
) = least signiﬁcant bit of x.)
7.4.3 General Probabilistic Encryption
How should we encrypt arbitrary length messages?
The ﬁrst answer is to simply encrypt each bit individually using one of the above methods. as above. Before
considering whether this is wise from an eﬃciency point of view, we need to argue that it indeed will produce a
encryption scheme which is polynomial time indistinguishable. This requires reﬂection, as even through every
bit individually is secure, it can be the case that say that some predicate computed on all the bits is easily
computable, such as the exclusive or of the bits. This turns out luckily not to be the case, but requires proof.
We now provide construction and proof.
Deﬁnition 7.7 We deﬁne a probabilistic encryption based on trapdoor collection F with hard core bit B to
be PE = (G, E, D) where:
• G(1
k
) chooses (i, t
i
) by running S
1
(1
k
) (Public key is i, private key is t
i
).
• Let m = m
1
. . . m
k
where m
j
∈ ¦0, 1¦ be the message.
E(i, m) encrypts m as follows:
Choose x
j
∈
R
D
i
such that B
i
(x
j
) = m
j
for j = 1, . . . , k.
Output c = f
i
(x
1
) . . . f
i
(x
k
).
• Let c = y
1
. . . y
k
where y
i
∈ D
i
be the cyph ertext.
D(t
i
, c) decrypts c as follows:
Compute m
j
= B
i
(f
−1
i
(y
j
)) for j = 1, . . . , k.
Output m = m
1
. . . m
k
.
Claim 7.8 If F is a collection of trapdoor permutations then the probabilistic encryption PE = (G, E, D) is
indistinguishably secure.
Proof: Suppose that (G, E, D) is not indistinguishably secure. Then there is a polynomial Q, a PTM A and a
message space algorithm M such that for inﬁnitely many k, ∃m
0
, m
1
∈ M(1
k
) with,
Pr[A(1
k
, i, m
0
, m
1
, c) = j[m
j
∈ ¦m
0
, m
1
¦, c ∈ E(i, m
j
))] >
1
2
+
1
Q(k)
where the probability is taken over the coin tosses of A, (i, t
i
) ∈ G(1
k
), the coin tosses of E and m
j
∈ ¦m
0
, m
1
¦.
In other words, A says 0 more often when c is an encryption of m
0
and says 1 more often when c is an encryption
of m
1
.
Deﬁne distributions D
j
= E(i, s
j
) for j = 0, 1, . . . , k where k = [m
0
[ = [m
1
[ and such that s
0
= m
0
, s
k
= m
1
and s
j
diﬀers from s
j+1
in precisely 1 bit.
Let P
j
= Pr[A(1
k
, i, m
0
, m
1
, c) = 1[c ∈ D
j
= E(i, s
j
)].
Then
1
2
+
1
Q(k)
< Pr[A chooses j correctly] = (1 −P
0
)(
1
2
) +P
k
(
1
2
).
130 Goldwasser and Bellare
Hence, P
k
−P
0
>
2
Q(k)
and since
¸
k−1
j=0
(P
j+1
−P
j
) = P
k
−P
0
, ∃j such that P
j+1
−P
j
>
2
Q(k)k
.
Now, consider the following algorithm B which takes input i, f
i
(y) and outputs 0 or 1. Assume that s
j
and s
j+1
diﬀer in the l
th
bit; that is, s
j,l
= s
j+1,l
or, equivalently, s
j+1
= ¯ s
j
.
B runs as follows on input i, f
i
(y):
(1) Choose y
1
, . . . , y
k
such that B
i
(y
r
) = s
j,r
for r = 1, . . . , k.
(2) Let c = f
i
(y
1
), . . . , f
i
(y), . . . , f
i
(y
k
) where f
i
(y) has replaced f
i
(y
l
) in the l
th
block.
(3) If A(1
k
, i, , m
0
, m
1
, c) = 0 then output s
j,l
.
If A(1
k
, i, , m
0
, m
1
, c) = 0 then output s
j+1,l
= ¯ s
j,l
.
Note that c ∈ E(i, s
j
) if B
i
(y) = s
j,l
and c ∈ E(i, s
j+1
) if B
i
(y) = s
j+1,l
.
Thus, in step 3 of algorithm B, outputting s
j,l
corresponds to A predicting that c is an encoding of s
j
; in other
words, c is an encoding of the string nearest to m
0
.
Claim. Pr[B(i, f
i
(y)) = B
i
(y)] >
1
2
+
1
Q(k)k
Proof:
Pr[B(i, f
i
(y)) = B
i
(y)] = Pr[A(1
k
, i, m
0
, m
1
, c) = 0[c ∈ E(i, s
j
)] Pr[c ∈ E(i, s
j
)]
+Pr[A(1
k
, i, m
0
, m
1
, c) = 1[c ∈ E(i, s
j+1
)] Pr[c ∈ E(i, s
j+1
)]
≥ (1 −P
j
)(
1
2
) + (P
j+1
)(
1
2
)
=
1
2
+
1
2
(P
j+1
−P
j
)
>
1
2
+
1
Q(k)k
2
Thus, B will predict B
i
(y) given i, f
i
(y) with probability better than
1
2
+
1
Q(k)k
. This contradicts the assumption
that B
i
(y) is hard core for f
i
(y).
Hence, the probabilistic encryption PE = (G, E, D) is indistinguishably secure.
In fact, the probabilistic encryption PE = (G, E, D) is also semantically secure. This follows from the fact that
semantic and indistinguishable security are equivalent.
7.4.4 Eﬃcient Probabilistic Encryption
How eﬃcient are the probabilistic schemes? In the schemes described so far, the ciphertext is longer than
the cleartext by a factor proportional to the security parameter. However, it has been shown [39, 43] using
later ideas on pseudorandom number generation how to start with trapdoor functions and build a probabilistic
encryption scheme that is polynomialtime secure for which the ciphertext is longer than the cleartext by only
an additive factor. The most eﬃcient probabilistic encryption scheme is due to Blum and Goldwasser [43]
and is comparable with the RSA deterministic encryption scheme in speed and data expansion. Recall, that
privatekey encryption seemed to be much more eﬃcient. Indeed, in practice the publickey methods are often
used to transmit a secret session key between two participants which have never met, and subsequently the
secret session key is used in conjunction with a privatekey encryption method.
We ﬁrst describe a probabilistic public key cryptosystem based on any trapdoor function collection which suﬀers
only from a small additive bandwidth expansion.
Cryptography: Lecture Notes 131
As in the previous probabilistic encryption PE, we begin with a collection of trapdoor permutations F = ¦f
i
:
D
i
→ D
i
¦ with hard core predicates B = ¦B
i
: D
i
→ ¦0, 1¦. For this section, we consider that D
i
⊆ ¦0, 1¦
k
,
where k = [i[.
Then EPE = (G, E, D) is our PKC based on F with:
Key Generation: G(1
k
) = S
1
(1
k
) = (i, t
i
). The public key is i, and the secret key is t
i
.
Encryption Algorithm: To encrypt m, E(i, m) runs as follows, where l = [m[:
(1) Choose r ∈ D
i
at random.
(2) Compute f
i
(r), f
2
i
(r), . . . , f
l
i
(r).
(3) Let p = B
i
(r)B
i
(f
i
(r))B
i
(f
2
i
(r)) . . . B
i
(f
l−1
i
(r)).
(4) Output the ciphertext c = (p ⊕m, f
l
i
(r)).
Decryption Algorithm: To decrypt a ciphertext c = (m
t
, a), D(t
i
, c) runs as follows, where l = [m
t
[:
(1) Compute r such that f
l
i
(r) = a. We can do this since we can invert f
i
using the trapdoor information,
t
i
, and this r is unique since f
i
is a permutation.
(2) Compute the pad as above for encryption: p = B
i
(r)B
i
(f
i
(r)) . . . B
i
(f
l−1
i
(r)).
(3) Output decrypted message m = m
t
⊕p.
To consider the eﬃciency of this scheme, we note that the channel bandwidth is [c[ = [m[ + k, where k is the
security parameter as deﬁned above. This is a signiﬁcant improvement over the [m[ k bandwidth achieved by
the scheme proposed in the previous lecture, allowing improvement in security with only minimal increase in
bandwidth.
If C
i1
is the cost of computing f
i
, and C
i2
is the cost of computing f
−1
i
given t
i
, then the cost of encryption is
[m[ C
i1
, and the cost of decryption is [m[ C
i2
, assuming that the cost of computing B
i
is negligible.
Another interesting point is that for all functions currently conjectured to be trapdoor, even with t
i
, it is
still easier to compute f
i
than f
−1
i
, that is, C
i1
< C
i2
, though of course, both are polynomial in k = [i[.
Thus in EPE, if it is possible to compute f
−l
i
more eﬃciently than as l compositions of f
−1
i
, then computing
r = f
−l
i
(a), and then computing f
i
(r), f
2
i
(r), . . . , f
l−1
i
(r) may reduce the overall cost of decryption. The
following implementation demonstrates this.
7.4.5 An implementation of EPE with cost equal to the cost of RSA
In this section, we consider a particular implementation of EPE as eﬃcient as RSA. This uses for F a subset
of Rabin’s trapdoor functions which were introduced in Lecture 5. Recall that we can reduce Rabin’s functions
to permutations if we only consider the Blum primes, and restrict the domain to the set of quadratic residues.
In fact, we will restrict our attention to primes of the form p ≡ 7 mod 8.
1
Let ^ = ¦n[n = pq; [p[ = [q[; p, q ≡ 7 mod 8¦. Then let F = ¦f
n
: D
n
−→ D
n
¦
n∈A
, where f
n
(x) ≡ x
2
mod n,
and D
n
= Q
n
= ¦y[y ≡ x
2
mod n¦. Because p, q ≡ 3 mod 4, we have that f
n
is a permutation on D
n
. B
n
(x) is
the least signiﬁcant bit (LSB) of x, which is a hard core bit if and only if factoring is diﬃcult, i.e., the Factoring
Assumption from Lecture 5 is true. (This fact was stated, but not proven, in Lecture 7.)
Then consider the EPE (G, E, D), with:
Generation: G(1
k
) = (n, (p, q)) where pq = n ∈ ^, and [n[ = k. Thus n is the public key, and (p,q) is the
secret key.
Encryption: E(n, m), where l = [m[ (exactly as in general case above):
(1) Choose r ∈ Q
n
randomly.
1
More recent results indicate that this additional restriction may not be necessary.
132 Goldwasser and Bellare
(2) Compute r
2
, r
4
, r
8
, . . . , r
2
l
(mod n).
(3) Let p = LSB(r)LSB(r
2
)LSB(r
4
) . . . LSB(r
2
l−1
).
(4) Output c = (m⊕p, r
2
l
mod n).
The cost of encrypting is O(k
2
l).
Decryption: D((p, q), c), where c = (m
t
, a), l = [m
t
[ (as in general case above):
(1) Compute r such that r
2
l
≡ a mod n.
(2) Compute p = LSB(r)LSB(r
2
)LSB(r
4
) . . . LSB(r
2
l−1
).
(3) Output m = m
t
⊕p.
Since p, q ≡ 7 mod 8, we have p = 8t +7 and q = 8s +7 for some integers s, t. Recall from Lecture 3 that
if p is prime, the Legendre symbol J
p
(a) = a
p−1
2
≡ 1 mod p if and only if a ∈ Q
p
, Since a ∈ Q
n
, we also
have a ∈ Q
p
. Thus we can compute
a ≡ a a
p−1
2
≡ a
1+4t+3
≡ (a
2t+2
)
2
(mod p),
yielding,
√
a ≡ a
2t+2
mod p. Furthermore, a
2t+2
= (a
t+1
)
2
∈ Q
p
, so we can do this repeatedly to ﬁnd
r
p
≡
2
l
√
a ≡ a
(2t+2)
l
mod p. (This is why we require p ≡ 7 mod 8.) Analogously, we can ﬁnd r
q
≡
2
l
√
a ≡
a
(2s+2)
l
mod q, and using the Chinese Remainder Theorem (Lecture 5), we can ﬁnd r ≡
2
l
√
a mod n. The
cost of decrypting in this fashion is O(k
3
l).
However, we can also compute r directly by computing u = (2t +2)
l
and v = (2s +2)
l
ﬁrst, and in fact, if
the length of the messages is known ahead of time, we can compute u and v oﬀline. In any event, the cost
of decrypting then is simply the cost of computing a
u
mod p and a
v
mod q, using the Chinese Remainder
Theorem, and then computing p given r, just as when encrypting. This comes out to O(k
3
+k
2
l) = O(k
3
)
if l = O(k).
EPE Passes Indistinguishable Security
We wish to show that EPE also passes indistinguishable security. To do this we use the notion of pseudo
random number generators (PSRG) introduced in the chapter on pseudo random number generation. Note
that PSRG(r, i) = f
l
i
(r) ◦ B
i
(r)B
i
(f
i
(r))B
i
(f
2
i
(r)) . . . B
i
(f
l−1
i
(r)) = a ◦ p where p and a are generated while
encrypting messages, (◦ is the concatenation operator.) is a pseudorandom number generator. Indeed, this is
the construction we used to prove the existence of PSRGs, given oneway permutations.
Certainly if the pad p were completely random, it would be impossible to decrypt the message since m
t
= m⊕p
maps m
t
to a random string for any m. Since p is pseudorandom, it appears random to any PTM without
further information i.e., the trapdoor t
i
. However, the adversary does know a = f
l
i
(r), and we have to show
that it cannot use this to compute p.
More precisely, we note that if there exists a PTM A that can distinguish between (m⊕p) ◦ a and (m⊕R) ◦ a
where R is a completely random string from ¦0, 1¦
l
, then it can distinguish between p ◦ a and R◦ a. We can use
this then, as a statistical test to check whether a given string is a possible output of PSRG, which contradicts
the claim that PSRG is pseudorandom, and thus the claim that f
i
is oneway. It is left as an exercise to express
this formally.
7.4.6 Practical RSA based encryption
Consider a sender who holds a kbit to kbit trapdoor permutation f and wants to transmit a message x to
a receiver who holds the inverse permutation f
−1
. We concentrate on the case which arises most often in
cryptographic practice, where n = [x[ is at least a little smaller than k. Think of f as the RSA function.
Encryption schemes used in practice have the following properties: encryption requires just one computation
of f; decryption requires just one computation of f
−1
; the length of the enciphered text should be precisely k;
Cryptography: Lecture Notes 133
and the length n of the text x that can be encrypted is close to k. Examples of schemes achieving these
conditions are [179, 117].
Unfortunately, these are heuristic schemes. A provably secure scheme would be preferable. We have now
seen several provably good asymmetric (i.e. public key) encryption schemes. The most eﬃcient is the Blum
Goldwasser scheme [43]. But, unfortunately, it still doesn’t match the heuristic schemes in eﬃciency. Accord
ingly, practioners are continuing to prefer the heuristic constructions.
This section presents a scheme called the OAEP (Optimal Asymmetric Encryption Padding) which can ﬁll the
gap. It was designed by Bellare and Rogaway [25]. It meets the practical constraints but at the same time has
a security that can be reasonably justiﬁed, in the following sense. The scheme can be proven secure assuming
some underlying hash functions are ideal. Formally, the hash functions are modeled as random oracles. In
implementation, the hash functions are derived from cryptographic hash functions.
This random oracle model represents a practical compromise under which we can get eﬃciency with reasonable
security assurances. See [15] for a full discussion of this approach.
RSAOAEP is currently included in several standards and draft standards and is implemented in various systems.
In particular, it is the RSA PKCS#1 v2 encryption standard and is also in the IEEE P1363/P1363a draft
standards. It is also used in the SET (Secure Electronic Transactions) protocol of Visa and Mastercard.
Simple embedding schemes and OAEP features
The heuristic schemes invariably take the following form: one (probabilistically, invertibly) embeds x into a
string r
x
and then takes the encryption of x to be f(r
x
).
2
Let’s call such a process a simpleembedding scheme.
We will take as our goal to construct provablygood simpleembedding schemes which allow n to be close to k.
The best known example of a simple embedding scheme is the RSA PKCS #1 standard. Its design is however ad
hoc; standard assumptions on the trapdoor permutation there (RSA) do not imply the security of the scheme.
In fact, the scheme succumbs to chosen ciphertext attack [38]. The OAEP scheme we discuss below is just as
eﬃcient as the RSA PKCS #1 scheme, but resists such attacks. Moreover, this resistance is backed by proofs
of security. The new version of the RSA PKCS#1 standard, namely v2, uses OAEP.
OAEP is a simple embedding scheme that is bitoptimal (i.e., the length of the string x that can be encrypted
by f(r
x
) is almost k). It is proven secure assuming the underlying hash functions are ideal. It is shown in [25]
that RSAOAEP achieves semantic security (as deﬁned by [102]). It is shown in [89] (building on [194]) that it
also achieves a notion called “plaintextaware encryption” deﬁned in [25, 21]. The latter notion is very strong,
and in particular it is shown in [21] that semantic security plus plaintext awareness implies “ambitious” goals
like chosenciphertext security and nonmalleability [75] in the idealhash model.
Now we brieﬂy describe the basic scheme and its properties. We refer the reader to [25] for full descriptions and
to [25, 89] for proofs of security.
The scheme
Recall k is the security parameter, f mapping kbits to kbits is the trapdoor permutation. Let k
0
be chosen
such that the adversary’s running time is signiﬁcantly smaller than 2
k0
steps. We ﬁx the length of the message to
encrypt as let n = k−k
0
−k
1
(shorter messages can be suitably padded to this length). The scheme makes use of
a “generator” G: ¦0, 1¦
k
0
→ ¦0, 1¦
n+k
1
and a “hash function” H: ¦0, 1¦
n+k
1
→ ¦0, 1¦
k
0
. To encrypt x ∈ ¦0, 1¦
n
choose a random k
0
bit r and set
c
G,H
(x) = f(x0
k1
⊕G(r)r ⊕H(x0
k1
⊕G(r))).
The decryption T
G,H
is deﬁned as follows. Apply f
−1
to the ciphertext to get a string of the form ab with
[a[ = k −k
0
and [b[ = k
0
. Compute r = H(a) ⊕b and y = G(r) ⊕a. If the last k
1
bits of y are not all zero then
reject; else output the ﬁrst n bits of y as the plaintext.
2
It is wellknown that a naive embedding like rx = x is no good: besides the usual deﬁciencies of any deterministic encryption, f
being a trapdoor permutation does not mean that f(x) conceals all the interesting properties of x. Indeed it was exactly such
considerations that helped inspire ideas like semantic security [102] and hardcore bits [44, 208].
134 Goldwasser and Bellare
The use of the redundancy (the 0
k
1
term and the check for it in decryption) is in order to provide plaintext
awareness.
Eﬃciency
The function f can be set to any candidate trapdoor permutation such as RSA [176] or modular squaring
[170, 39]. In such a case the time for computing G and H is negligible compared to the time for computing
f, f
−1
. Thus complexity is discussed only in terms of f, f
−1
computations. In this light the scheme requires
just a single application of f to encrypt, a single application of f
−1
to decrypt, and the length of the ciphertext
is k (as long as k ≥ n +k
0
+k
1
).
The ideal hash function paradigm
As we indicated above, when proving security we take G, H to be random, and when we want a concrete scheme,
G, H are instantiated by primitives derived from a cryptographic hash function. In this regard we are following
the paradigm of [15] who argue that even though results which assume an ideal hash function do not provide
provable security with respect to the standard model of computation, assuming an ideal hash function and doing
proofs with respect to it provides much greater assurance beneﬁt than purely ad. hoc. protocol design. We refer
the reader to that paper for further discussion of the meaningfulness, motivation and history of this ideal hash
approach.
Exact security
We want the results to be meaningful for practice. In particular, this means we should be able to say meaningful
things about the security of the schemes for speciﬁc values of the security parameter (e.g., k = 512). This
demands not only that we avoid asymptotics and address security “exactly,” but also that we strive for security
reductions which are as eﬃcient as possible.
Thus the theorem proving the security of the basic scheme quantiﬁes the resources and success probability of
a potential adversary: let her run for time t, make q
gen
queries of G and q
hash
queries of H, and suppose she
could “break” the encryption with advantage . It then provides an algorithm M and numbers t
t
,
t
such that
M inverts the underlying trapdoor permutation f in time t
t
with probability
t
. The strength of the result is
in the values of t
t
,
t
which are speciﬁed as functions of t, q
gen
, q
hash
, and the underlying scheme parameters
k, k
0
, n (k = k
0
+n). Now a user with some idea of the (assumed) strength of a particular f (e.g., RSA on 512
bits) can get an idea of the resources necessary to break our encryption scheme. See [25] for more details.
OAEP achieves semantic security for any trapdoor function f, as shown in [25]. It achieves plaintext awareness,
and thus security against chosenciphertext attack, when f is RSA, as shown in [89].
7.4.7 Enhancements
An enhancement to OAEP, made by Johnson and Matyas [118], is to use as redundancy, instead of the 0
k
1
above, a hash of information associated to the key. This version of OAEP is proposed in the ANSI X9.44 draft
standard.
7.5 Exploring Active Adversaries
Until now we have focused mostly on passive adversaries. But what happens if the adversaries are active? This
gives rise to various strongerthansemantic notions of security such as nonmalleability [75], security against
chosen ciphertext attack, and plaintext awareness [25, 21]. See [21] for a classiﬁcation of these notions and
discussion of relations among them.
Cryptography: Lecture Notes 135
In particular, we consider security against chosen ciphertext attack. In this model, we assume that our adversary
has temporary access to the decoding equipment, and can use it to decrypt some cyphertexts that it chooses.
Afterwards, the adversary sees the ciphertext it wants to decrypt without any further access to the decoding
equipment. Notice that this is diﬀerent from simply being able to generate pairs of messages and cyphertexts,
as the adversary was always capable of doing that by simply encrypting messages of its choice. In this case, the
adversary gets to choose the ciphertext and get the corresponding message from the decoding equipment.
We saw in previous sections that such an adversary could completely break Rabin’s scheme. It is not known
whether any of the other schemes discussed for PKC are secure in the presence of this adversary. However,
attempts to provably defend against such an adversary have been made.
One idea is to put checks into the decoding equipment so that it will not decrypt cyphertexts unless it has
evidence that someone knew the message (i.e., that the ciphertext was not just generated without knowledge of
what the message being encoded was). We might think that a simple way to do this would be to require two
distinct encodings of the same message, as it is unlikely that an adversary could ﬁnd two separate encodings
of the same message without knowing the message itself. Thus a ciphertext would be (α
1
, α
2
) where α
1
, α
2
are
chosen randomly from the encryptions of m.
Unfortunately, this doesn’t work because if the decoding equipment fails to decrypt the ciphertext, the adversary
would still gain some knowledge, i.e., that α
1
and α
2
do not encrypt the same message. For example, in the
probabilistic encryption scheme proposed last lecture, an adversary may wish to learn the hardcore bit B
i
(y)
for some unknown y, where it has f
i
(y). Given decoding equipment with the protection described above, the
adversary could still discover this bit as follows:
(1) Pick m ∈ ´(1
l
), the message space, and let b be the last bit of m.
(2) Pick α
1
∈ E(i, m) randomly and independently.
(3) Recall that α
1
= (f
i
(x
1
), f
i
(x
2
), . . . , f
i
(x
l
)), with x
j
chosen randomly from D
i
for j = 1, 2, . . . , l. Let
α
2
= (f
i
(x
1
), . . . , f
i
(x
l−1
), f
i
(y)).
(4) Use the decoding equipment on c = (α
1
, α
2
). If it answers m, then B
i
(y) = b. If it doesn’t decrypt c, then
B
i
(y) = b.
What is done instead uses the notion of NonInteractive ZeroKnowledge Proofs (NIZK) [45, 153]. The idea is
that anyone can check a NIZK to see that it is correct, but no knowledge can be extracted from it about what
is being proved, except that it is correct. Shamir and Lapidot have shown that if trapdoor functions exist, then
NIZKs exist. Then a ciphertext will consist of three parts: two distinct encodings α
1
, α
2
of the message, and a
NIZK that α
1
and α
2
encrypt the same message. Then the decoding equipment will simply refuse to decrypt
any ciphertext with an invalid NIZK, and this refusal to decrypt will not give the adversary any new knowledge,
since it already knew that the proof was invalid.
The practical importance of chosen ciphertext attack is illustrated in the recent attack of Bleichenbacher on
the RSA PKCS #1 encryption standard, which has received a lot of attention. Bleichenbacher [38] shows how
to break the scheme under a chosen ciphertext attack. One should note that the OAEP scheme discussed in
Section 7.4.6 above is immune to such attacks.
C h a p t e r 8
Hash Functions
A hash function usually means a function that compresses, meaning the output is shorter than the input. Often,
such a function takes an input of arbitrary or almost arbitrary length to one whose length is a ﬁxed number,
like 160 bits. Hash functions are used in many parts of cryptography, and there are many diﬀerent types of
hash functions, with diﬀering security properties. We will consider them in this chapter.
8.1 The hash function SHA1
The hash function known as SHA1 is a simple but strange function from strings of almost arbitrary length to
strings of 160 bits. The function was ﬁnalized in 1995, when a FIPS (Federal Information Processing Standard)
came out from the US National Institute of Standards that speciﬁed SHA1.
Let ¦0, 1¦
<
denote the set of all strings of length strictly less than . The function SHA1: ¦0, 1¦
<2
64
→ ¦0, 1¦
160
is shown in Figure 8.1. (Since 2
64
is a very large length, we think of SHA1 as taking inputs of almost arbitrary
length.) It begins by padding the message via the function shapad, and then iterates the compression function
sha1 to get its output. The operations used in the algorithms of Figure 8.1 are described in Figure 8.2. (The
ﬁrst input in the call to SHF1 in code for SHA1 is a 128 bit string written as a sequence of four 32bit words,
each word being consisting of 8 hexadecimal characters. The same convention holds for the initialization of the
variable V in the code of SHF1.)
SHA1 is derived from a function called MD4 that was proposed by Ron Rivest in 1990, and the key ideas behind
SHA1 are already in MD4. Besides SHA1, another wellknown “child” of MD4 is MD5, which was likewise
proposed by Rivest. The MD4, MD5, and SHA11 algorithms are all quite similar in structure. The ﬁrst two
produce a 128bit output, and work by “chaining” a compression function that goes from 512 +128 bits to 128
bits, while SHA1 produces a 160 bit output and works by chaining a compression function from 512 + 160 bits
to 160 bits.
So what is SHA1 supposed to do? First and foremost, it is supposed to be the case that nobody can ﬁnd distinct
strings M and M
t
such that SHA1(M) = SHA1(M
t
). This property is called collision resistance.
Stop for a moment and think about the collisionresistance requirement, for it is really quite amazing to think
that such a thing could be possible. The function SHA1 maps strings of (almost) any length to strings of 160
bits. So even if you restricted the domain of SHA1 just to “short” strings—let us say strings of length 256
bits—then there must be an enormous number of pairs of strings M and M
t
that hash to the same value.
This is just by the pigeonhole principle: if 2
256
pigeons (the 256bit messages) roost in 2
160
holes (the 160bit
hash values) then some two pigeons (two distinct strings) roost in the same hole (have the same hash). Indeed
countless pigeons must share the same hole. The diﬃcult is only that nobody has as yet identiﬁed (meaning,
explicitly provided) even two such pigeons (strings).
136
Cryptography: Lecture Notes 137
algorithm SHA1(M) // M < 2
64
V ← SHF1( 5A8279996ED9EBA18F1BBCDCCA62C1D6 , M )
return V
algorithm SHF1(K, M) // K = 128 and M < 2
64
y ← shapad(M)
Parse y as M
1
M
2
 M
n
where [M
i
[ = 512 (1 ≤ i ≤ n)
V ← 67452301EFCDAB8998BADCFE10325476C3D2E1F0
for i = 1, . . . , n do
V ← shf1(K, M
i
V )
return V
algorithm shapad(M) // M < 2
64
d ← (447 −[M[) mod 512
Let be the 64bit binary representation of [M[
y ← M10
d
 // y is a multiple of 512
return y
algorithm shf1(K, BV ) // K = 128, B = 512 and V  = 160
Parse B as W
0
W
1
 W
15
where [W
i
[ = 32 (0 ≤ i ≤ 15)
Parse V as V
0
V
1
 V
4
where [V
i
[ = 32 (0 ≤ i ≤ 4)
Parse K as K
0
K
1
K
2
K
3
where [K
i
[ = 32 (0 ≤ i ≤ 3)
for t = 16 to 79 do
W
t
← ROTL
1
(W
t−3
⊕W
t−8
⊕W
t−14
⊕W
t−16
)
A ← V
0
; B ← V
1
; C ← V
2
; D ← V
3
; E ← V
4
for t = 0 to 19 do
L
t
← K
0
; L
t+20
← K
1
; L
t+40
← K
2
; L
t+60
← K
3
for t = 0 to 79 do
if (0 ≤ t ≤ 19) then f ← (B ∧ C) ∨ ((B) ∧ D)
if (20 ≤ t ≤ 39 OR 60 ≤ t ≤ 79) then f ← B ⊕C ⊕D
if (40 ≤ t ≤ 59) then f ← (B ∧ C) ∨ (B ∧ D) ∨ (C ∧ D)
temp ← ROTL
5
(A) +f +E +W
t
+L
t
E ← D ; D ← C ; C ← ROTL
30
(B) ; B ← A ; A ← temp
V
0
← V
0
+A ; V
1
← V
1
+B ; V
2
← V
2
+C ; V
3
← V
3
+D ; V
4
← V
4
+E
V ← V
0
V
1
V
2
V
3
V
4
return V
Figure 8.1: The SHA1 hash function and the underlying SHF1 family.
In trying to deﬁne this collisionresistance property of SHA1 we immediately run into “foundational” problems.
We would like to say that it is computationally infeasible to output a pair of distinct strings M and M
t
that
collide under SHA1. But in what sense could it be infeasible? There is a program—indeed a very short an
simple one, having just two “print” statements—whose output speciﬁes a collision. It’s not computationally
hard to output a collision; it can’t be. The only diﬃculty is our human problem of not knowing what this
program is.
It seems very hard to make a mathematical deﬁnition that captures the idea that human beings can’t ﬁnd
collisions in SHA1. In order to reach a mathematically precise deﬁnition we are going to have to change the
very nature of what we conceive to be a hash function. Namely, rather than it being a single function, it will be
a family of functions. This is unfortunate in some ways, because it distances us from concrete hash functions
like SHA1. But no alternative is known.
138 Goldwasser and Bellare
X ∧ Y bitwise AND of X and Y
X ∨ Y bitwise OR of X and Y
X ⊕Y bitwise XOR of X and Y
X bitwise complement of X
X +Y integer sum modulo 2
32
of X and Y
ROTL
l
(X) circular left shift of bits of X by l positions (0 ≤ l ≤ 31)
Figure 8.2: Operations on 32bit words used in sha1.
Prekey attack phase A selects 2 −s points
Key selection phase A key K is selected at random from K
Postkey attack phase A is given K and returns s points
Winning condition The 2 points selected by A form a collision for HK
Figure 8.3: Framework for security notions for collisionresistant hash functions. The three choices of s ∈ ¦0, 1, 2¦
give rise to three notions of security.
8.2 Collisionresistant hash functions
A hash function for us is a family of functions H: / D → R. Here D is the domain of H and R is the range
of H. As usual, if K ∈ / is a particular key then H
K
: D → R is deﬁned for all M ∈ D by H
K
(M) = H(K, M).
This is the instance of H deﬁned by key K.
An example is SHF1: ¦0, 1¦
128
¦0, 1¦
<2
64
→ ¦0, 1¦
160
, as described in Figure 8.1. This hash function takes a
128bit key and an input M of at most 2
64
bits and returns a 160bit output. The function SHA1 is an instance
of this family, namely the one whose associated key is
5A8279996ED9EBA18F1BBCDCCA62C1D6 .
Let H: /D → R be a hash function. Here is some notation we use in this chapter. For any key K and y ∈ R
we let
H
−1
K
(y) = ¦ x ∈ D : H
K
(x) = y ¦
denote the preimage set of y under H
K
. Let
Image(H
K
) = ¦ H
K
(x) : x ∈ D ¦
denote the image of H
K
.
A collision for a function h: D → R is a pair x
1
, x
2
∈ D of points such that (1) H
K
(x
1
) = H
K
(x
2
) and
(2) x
1
= x
2
. The most basic security property of a hash function is collisionresistance, which measures the
ability of an adversary to ﬁnd a collision for an instance of a family H. There are diﬀerent notions of collision
resistance, varying in restrictions put on the adversary in its quest for a collision.
To introduce the diﬀerent notions, we imagine a game, parameterized by an integer s ∈ ¦0, 1, 2¦, and involving
an adversary A. It consists of a prekey attack phase, followed by a keyselection phase, followed by a postkey
attack phase. The adversary is attempting to ﬁnd a collision for H
K
, where key K is selected at random from
/ in the keyselection phase. Recall that a collision consists of a pair x
1
, x
2
of (distinct) points in D. The
adversary is required to specify 2 − s points in the prekey attack phase, before it has any information about
the key. (The latter has yet to be selected.) Once the adversary has speciﬁed these points and the key has been
selected, the adversary is given the key, and will choose the remaining s points as a function of the key, in the
postkey attack phase. It wins if the 2 = (2 −s) +s points it has selected form a collision for H
K
.
Cryptography: Lecture Notes 139
Exp
cr2kk
H
(A)
K
$
← / ; (x
1
, x
2
)
$
← A(K)
if ( H
K
(x
1
) = H
K
(x
2
) and x
1
= x
2
and x
1
, x
2
∈ D )
then return 1 else return 0
Exp
cr1kk
H
(A)
(x
1
, st)
$
← A() ; K
$
← / ; x
2
$
← A(K, st)
if ( H
K
(x
1
) = H
K
(x
2
) and x
1
= x
2
and x
1
, x
2
∈ D )
then return 1 else return 0
Exp
cr0
H
(A)
(x
1
, x
2
)
$
← A() ; K
$
← /
if ( H
K
(x
1
) = H
K
(x
2
) and x
1
= x
2
and x
1
, x
2
∈ D )
then return 1 else return 0
Figure 8.4: Experiments deﬁning security notions for three kinds of collisionresistant hash functions under
knownkey attack.
Figure 8.3 summarizes the framework. The three choices of the parameter s give rise to three notions of security.
The higher the value of s the more power the adversary has, and hence the more stringent is the corresponding
notion of security. Figure 8.4 provides in more detail the experiments underlying the three attacks arising from
the above framework. We represent by st information that the adversary wishes to maintain across its attack
phases. It will output this information in the prekey attack phase, and be provided it at the start of the
postkey attack phase.
In a variant of this model that we consider in Section 8.6, the adversary is not given the key K in the postkey
attack phase, but instead is given an oracle for H
K
(). To disambiguate, we refer to our current notions as
capturing collisionresistance under knownkey attack, and the notions of Section 8.6 as capturing collision
resistance under hiddenkey attack. The notation in the experiments of Figure 8.4 and Deﬁnition 8.1 reﬂects
this via the use of “kk”, except that for CR0, known and hidden key attacks coincide, and hence we just say
cr0.
The three types of hash functions we are considering are known by other names in the literature, as indicated
in Figure 8.5.
Deﬁnition 8.1 Let H: / D → R be a hash function and let A be an algorithm. We let
Adv
cr2kk
H
(A) = Pr
Exp
cr2kk
H
(A) = 1
Adv
cr1kk
H
(A) = Pr
Exp
cr1kk
H
(A) = 1
Adv
cr0
H
(A) = Pr
Exp
cr0
H
(A) = 1
.
In measuring resource usage of an adversary we use our usual conventions. Although there is formally no
deﬁnition of a “secure” hash function, we will talk of a hash function being CR2, CR1 or CR0 with the intended
meaning that its associated advantage function is small for all adversaries of practical running time.
Note that the running time of the adversary is not really relevant for CR0, because we can always imagine that
hardwired into its code is a “best” choice of distinct points x
1
, x
2
, meaning a choice for which
Pr
H
K
(x
1
) = H
K
(x
2
) : K
$
← /
140 Goldwasser and Bellare
Type Name(s) in literature
CR2KK collisionfree, collisionresistant, collisionintractable
CR1KK universal oneway [152] (aka. targetcollision resistant [27])
CR0 universal, almost universal
Figure 8.5: Types of hash functions, with names in our framework and corresponding names found in the
literature.
= max
y1,=y2
Pr
H
K
(y
1
) = H
K
(y
2
) : K
$
← /
.
The above value equals Adv
cr0
H
(A) and is the maximum advantage attainable.
Clearly, a CR2 hash function is also CR1 and a CR1 hash function is also CR0. The following states the
corresponding relations formally. The proof is trivial and is omitted.
Proposition 8.2 Let H: /D → R be a hash function. Then for any adversary A
0
there exists an adversary
A
1
having the same running time as A
0
and
Adv
cr0
H
(A
0
) ≤ Adv
cr1kk
H
(A
1
) .
Also for any adversary A
1
there exists an adversary A
2
having the same running time as A
1
and
Adv
cr1kk
H
(A
1
) ≤ Adv
cr2kk
H
(A
2
) .
We believe that SHF1 is CR2, meaning that there is no practical algorithm A for which Adv
cr2kk
H
(A) is
appreciably large. This is, however, purely a belief, based on the current inability to ﬁnd such an algorithm.
Perhaps, later, such an algorithm will emerge.
It is useful, for any integer n, to get SHF1
n
: ¦0, 1¦
n
→ ¦0, 1¦
160
denote the restriction of SHF1 to the domain
¦0, 1¦
n
. Note that a collision for SHF1
n
K
is also a collision for SHF1
K
, and it is often convenient to think of
attacking SHF1
n
for some ﬁxed n rather than SHF1 itself.
8.3 Collisionﬁnding attacks
Let us focus on CR2, which is the most important property for the applications we will see later. We consider
diﬀerent types of CR2type collisionﬁnding attacks on a family H: / D → R where D, R are ﬁnite sets. We
assume the family performs some reasonable compression, say [D[ ≥ 2[R[. Canonical example families to keep
in mind are H = SHF1
n
for n ≥ 161 and shf1, the compression function of SHF1.
Collisionresistance does not mean it is impossible to ﬁnd a collision. Analogous to the case of onewayness,
there is an obvious collisionﬁnding strategy. Let us enumerate the elements of D in some way, so that D =
¦D
1
, D
2
, . . . , D
d
¦ where d = [D[. The following adversary A implements an exhaustive search collisionﬁnding
attack:
Adversary A(K)
x
1
$
← D ; y ← H
K
(x
1
)
for i = 1, . . . , q do
if (H
K
(D
i
) = y and x
1
= D
i
) then return x
1
, D
i
return FAIL
Cryptography: Lecture Notes 141
for i = 1, . . . , q do // q is the number of trials
x
i
$
← D ; y
i
← H
K
(x
i
)
if (there exists j < i such that y
i
= y
j
but x
i
= x
j
) // collision found
then return x
i
, x
j
return FAIL // No collision found
Figure 8.6: Birthday attack on a hash function H: /D → R. The attack is successful in ﬁnding a collision if
it does not return FAIL.
We call q the number of trials. Each trial involves one computation of H
K
, so the number of trials is a measure
of the time taken by the attack. To succeed, the attack requires that H
−1
K
(y) has size at least two, which
happens at least half the time if [D[ ≥ 2[R[. However, we would still expect that it would take about q = [D[
trials to ﬁnd a collision, which is prohibitive, for D is usually large. For example, for F = shf1, the domain
has size 2
672
, far too large. For SHF1
n
, we would choose n as small as possible, but need n ≥ 161 to ensure
collisions exist, so the attack uses 2
161
computations of H
K
, which is not practical.
Now here’s another idea. We pick points at random, hoping that their image under H
K
equals the image under
H
K
of an initial target point. Call this the randominput collisionﬁnding attack. It is implemented like this:
Adversary A(K)
x
1
$
← D ; y ← H
K
(x
1
)
for i = 1, . . . , q do
x
2
$
← D
if (H
K
(x
2
) = y and x
1
= x
2
) then return x
1
, x
2
return FAIL
A particular trial ﬁnds a collision with probability (about) 1 in [R[, so we expect to ﬁnd a collision in about
q = [R[ trials. This is much better than the [D[ trials used by our ﬁrst attempt. In particular, a collision for
shf1 would be found in time around 2
160
rather than 2
672
. But this is still far from practical. Our conclusion is
that as long as the range size of the hash function is large enough, this attack is not a threat.
We now consider another strategy, called a birthday attack, that turns out to be much better than the above.
It is illustrated in Figure 8.6. It picks at random q points from the domain, and applies H
K
to each of them. If
it ﬁnds two distinct points yielding the same output, it has found a collision for H
K
. The question is how large
q need be to ﬁnd a collision. The answer may seem surprising at ﬁrst. Namely, q = O(
[R[) trials suﬃces.
We will justify this later, but ﬁrst let us note the impact. Consider SHA1
n
with n ≥ 161. As we indicated,
the randominput collisionﬁnding attack takes about 2
160
trials to ﬁnd a collision. The birthday attack on the
other hand takes around
√
2
160
= 2
80
trials. This is MUCH less than 2
160
. Similarly, the birthday attack ﬁnds
a collision in shf1 in around 2
80
trials while while randominput collisionﬁnding takes about 2
160
trials.
To see why the birthday attack performs as well as we claimed, we recall the following game. Suppose we have
q balls. View them as numbered, 1, . . . , q. We also have N bins, where N ≥ q. We throw the balls at random
into the bins, one by one, beginning with ball 1. At random means that each ball is equally likely to land in
any of the N bins, and the probabilities for all the balls are independent. A collision is said to occur if some
bin ends up containing at least two balls. We are interested in C(N, q), the probability of a collision. As shown
in the Appendix,
C(N, q) ≈
q
2
2N
(8.1)
for 1 ≤ q ≤
√
2N. Thus C(N, q) ≈ 1 for q ≈
√
2N.
The relation to birthdays arises from the question of how many people need be in a room before the probability
of there being two people with the same birthday is close to one. We imagine each person has a birthday that is
a random one of the 365 days in a year. This means we can think of a person as a ball being thrown at random
142 Goldwasser and Bellare
into one of 365 bins, where the ith bin represents having birthday the ith day of the year. So we can apply the
Proposition from the Appendix with N = 365 and q the number of people in the room. The Proposition says
that when the room contains q ≈
√
2 365 ≈ 27 people, the probability that there are two people with the same
birthday is close to one. This number (27) is quite small and may be hard to believe at ﬁrst hearing, which is
why this is sometimes called the birthday paradox.
To see how this applies to the birthday attack of Figure 8.6, let us enumerate the points in the range as
R
1
, . . . , R
N
, where N = [R[. Each such point deﬁnes a bin. We view x
i
as a ball, and imagine that it is thrown
into bin y
i
, where y
i
= H
K
(x
i
). Thus, a collision of balls (two balls in the same bin) occurs precisely when
two values x
i
, x
j
have the same output under H
K
. We are interested in the probability that this happens as a
function of q. (We ignore the probability that x
i
= x
j
, counting a collision only when H
K
(x
i
) = H
K
(x
j
). It
can be argued that since D is larger than R, the probability that x
i
= x
j
is small enough to neglect.)
However, we cannot apply the birthday analysis directly, because the latter assumes that each ball is equally
likely to land in each bin. This is not, in general, true for our attack. Let P(R
j
) denote the probability that a
ball lands in bin R
j
, namely the probability that H
K
(x) = R
j
taken over a random choice of x from D. Then
P(y) =
[H
−1
K
(R
j
)[
[D[
.
In order for P(R
1
) = P(R
2
) = = P(R
N
) to be true, as required to apply the birthday analysis, it must be
the case that
[H
−1
K
(R
1
)[ = [H
−1
K
(R
2
)[ = = [H
−1
K
(R
N
)[ .
A function H
K
with this property is called regular, and H is called regular if H
K
is regular for every K. Our
conclusion is that if H is regular, then the probability that the attack succeeds is roughly C(N, q). So the above
says that in this case we need about q ≈
√
2N =
2 [R[ trials to ﬁnd a collision with probability close to one.
If H is not regular, it turns out the attack succeeds even faster, telling us that we ought to design hash functions
to be as “close” to regular as possible [22].
In summary, there is a 2
l/2
or better time attack to ﬁnd collisions in any hash function outputting l bits. This
leads designers to choose l large enough that 2
l/2
is prohibitive. In the case of SHF1 and shf1, the choice
is l = 160 because 2
80
is indeed a prohibitive number of trials. These functions cannot thus be considered
vulnerable to birthday attack. (Unless they turn out to be extremely nonregular, for which there is no evidence
so far.)
Ensuring, by appropriate choice of output length, that a function is not vulnerable to a birthday attack does
not, of course, guarantee it is collision resistant. Consider the family H: / ¦0, 1¦
161
→ ¦0, 1¦
160
deﬁned as
follows. For any K and any x, function H
K
(x) returns the ﬁrst 160 bits of x. The output length is 160, so a
birthday attack takes 2
80
time and is not feasible, but it is still easy to ﬁnd collisions. Namely, on input K,
an adversary can just pick some 160bit y and output y0, y1. This tells us that to ensure collisionresistance it
is not only important to have a long enough output but also design the hash function so that there no clever
“shortcuts” to ﬁnding a collision, meaning no attacks that exploit some weakness in the structure of the function
to quickly ﬁnd collisions.
We believe that shf1 is welldesigned in this regard. Nobody has yet found an adversary that ﬁnds a collision
in shf1 using less than 2
80
trials. Even if a somewhat better adversary, say one ﬁnding a collision for shf1 in 2
65
trials, were found, it would not be devastating, since this is still a very large number of trials, and we would
still consider shf1 to be collisionresistant.
If we believe shf1 is collisionresistant, Theorem 8.8 tells us that SHF1, as well as SHF1
n
, can also be considered
collisionresistant, for all n.
8.4 Onewayness of collisionresistant hash functions
Intuitively, a family H is oneway if it is computationally infeasible, given H
K
and a range point y = H
K
(x),
where x was chosen at random from the domain, to ﬁnd a preimage of y (whether x or some other) under H
K
.
Since this deﬁnition too has a hiddenkey version, we indicate the knownkey in the notation below.
Cryptography: Lecture Notes 143
Deﬁnition 8.3 Let H: / D → R be a family of functions and let A be an algorithm. We consider the
following experiment:
Exp
owkk
H
(A)
K
$
← / ; x
$
← D ; y ← H
K
(x) ; x
t
$
← A(K, y)
If (H
K
(x
t
) = y and x
t
∈ D) then return 1 else return 0
We let
Adv
owkk
H
(A) = Pr
Exp
owkk
H
(A) = 1
.
We now ask ourselves whether collisionresistance implies onewayness. It is easy to see, however, that, in the
absence of additional assumptions about the hash function than collisionresistance, the answer is “no.” For
example, let H be a family of functions every instance of which is the identity function. Then H is highly
collisionresistant (the advantage of an adversary in ﬁnding a collision is zero regardless of its timecomplexity
since collisions simply don’t exist) but is not oneway.
However, we would expect that “genuine” hash functions, meaning ones that perform some nontrivial compres
sion of their data (ie. the size of the range is more than the size of the domain) are oneway. This turns out to
be true, but needs to be carefully quantiﬁed. To understand the issues, it may help to begin by considering the
natural argument one would attempt to use to show that collisionresistance implies onewayness.
Suppose we have an adversary A that has a signiﬁcant advantage in attacking the onewayness of hash function
H. We could try to use A to ﬁnd a collision via the following strategy. In the prekey phase (we consider a
type1 attack) we pick and return a random point x
1
from D. In the postkey phase, having received the key
K, we compute y = H
K
(x
1
) and give K, y to A. The latter returns some x
2
, and, if it was successful, we know
that H
K
(x
2
) = y. So H
K
(x
2
) = H
K
(x
1
) and we have a collision.
Not quite. The catch is that we only have a collision if x
2
= x
1
. The probability that this happens turns out
to depend on the quantity:
PreIm
H
(1) = Pr
[H
−1
K
(y)[ = 1 : K
$
← / ; x
$
← D ; y ← H
K
(x)
.
This is the probability that the size of the preimage set of y is exactly 1, taken over y generated as shown. The
following Proposition says that a collisionresistant function H is oneway as long as PreIm
H
(1) is small.
Proposition 8.4 Let H: / D → R be a hash function. Then for any A there exists a B such that
Adv
owkk
H
(A) ≤ 2 Adv
cr1kk
H
(B) +PreIm
H
(1) .
Furthermore the running time of B is that of A plus the time to sample a domain point and compute H
once.
The result is about the CR1 type of collisionresistance. However Proposition 8.2 implies that the same is true
for CR2.
A general and widelyapplicable corollary of the above Proposition is that collisionresistance implies onewayness
as long as the domain of the hash function is signiﬁcantly larger than its range. The following quantiﬁes this.
Corollary 8.5 Let H: / D → R be a hash function. Then for any A there exists a B such that
Adv
owkk
H
(A) ≤ 2 Adv
cr1kk
H
(B) +
[R[
[D[
.
Furthermore the running time of B is that of A plus the time to sample a domain point and compute H once.
144 Goldwasser and Bellare
Proof of Corollary 8.5: For any key K, the number of points in the range of H
K
that have exactly one
preimage certainly cannot exceed [R[. This implies that
PreIm
H
(1) ≤
[R[
[D[
.
The corollary follows from Proposition 8.4.
Corollary 8.5 says that if H is collisionresistant, and performs enough compression that [R[ is much smaller
than [D[, then it is also oneway. Why? Let A be a practical adversary that attacks the onewayness of H.
Then B is also practical, and since H is collisionresistant we know Adv
cr1kk
H
(B) is low. Equation (8.2) then
tells us that as long as [R[/[D[ is small, Adv
owkk
H
(A) is low, meaning H is oneway.
As an example, let H be the compression function shf1. In that case R = ¦0, 1¦
160
and D = ¦0, 1¦
672
so
[R[/[D[ = 2
−512
, which is tiny. We believe shf1 is collisionresistant, and the above thus says it is also oneway.
There are some natural hash functions, however, for which Corollary 8.5 does not apply. Consider a hash
function H every instance of which is twotoone. The ratio of range size to domain size is 1/2, so the right
hand side of the equation of Corollary 8.5 is 1, meaning the bound is vacuous. However, such a function is a
special case of the one considered in the following Proposition.
Corollary 8.6 Suppose 1 ≤ r < d and let H: / ¦0, 1¦
d
→ ¦0, 1¦
r
be a hash function which is regular,
meaning [H
−1
K
(y)[ = 2
d−r
for every y ∈ ¦0, 1¦
r
and every K ∈ /. Then for any A there exists a B such that
Adv
owkk
H
(A) ≤ 2 Adv
cr1kk
H
(B) .
Furthermore the running time of B is that of A plus the time to sample a domain point and compute H once.
Proof of Corollary 8.6: The assumption d > r implies that PreIm
H
(1) = 0. Now apply Proposition 8.4.
We now turn to the proof of Proposition 8.4.
Proof of Proposition 8.4: Here’s how B works:
Prekey phase
Adversary B()
x
1
$
← D ; st ← x
1
return (x
1
, st)
Postkey phase
Adversary B(K, st)
Retrieve x
1
from st
y ← H
K
(x
1
) ; x
2
$
← B(K, y)
return x
2
Let Pr [] denote the probability of event “” in experiment Exp
cr1kk
H
(B). For any K ∈ / let
S
K
= ¦ x ∈ D : [H
−1
K
(H
K
(x))[ = 1 ¦ .
Adv
cr1kk
H
(B) (8.2)
= Pr [H
K
(x
2
) = y ∧ x
1
= x
2
] (8.3)
≥ Pr [H
K
(x
2
) = y ∧ x
1
= x
2
∧ x
1
∈ S
K
] (8.4)
= Pr [x
1
= x
2
[ H
K
(x
2
) = y ∧ x
1
∈ S
K
] Pr [H
K
(x
2
) = y ∧ x
1
∈ S
K
] (8.5)
Cryptography: Lecture Notes 145
≥
1
2
Pr [H
K
(x
2
) = y ∧ x
1
∈ S
K
] (8.6)
≥
1
2
(Pr [H
K
(x
2
) = y] −Pr [x
1
∈ S
K
]) (8.7)
=
1
2
Adv
owkk
H
(A) −PreIm
H
(1)
. (8.8)
Rearranging terms yields Equation (8.2). Let us now justify the steps above. Equation (8.3) is by deﬁnition
of Adv
cr1kk
H
(B) and B. Equation (8.4) is true because Pr[E] ≥ Pr[E ∧ F] for any events E, F. Equation (8.5)
uses the standard formula Pr[E ∧ F] = Pr[E[F] Pr[F]. Equation (8.6) is justiﬁed as follows. Adversary A
has no information about x
1
other than that it is a random point in the set H
−1
K
(y). However if x
1
∈ S
K
then [H
−1
K
(y)[ ≥ 2. So the probability that x
2
= x
1
is at least 1/2 in this case. Equation (8.7) applies another
standard probabilistic inequality, namely that Pr[E ∧ F] ≥ Pr[E] − Pr[F]. Equation (8.8) uses the deﬁnitions
of the quantities involved.
8.5 The MD transform
We saw above that SHF1 worked by iterating applications of its compression function shf1. The latter, under
any key, compresses 672 bits to 160 bits. SHF1 works by compressing its input 512 bits at a time using shf1.
The iteration method has been chosen carefully. It turns out that if shf1 is collisionresistant, then SHF1 is
guaranteed to be collisionresistant. In other words, the harder task of designing a collisionresistant hash
function taking long and variablelength inputs has been reduced to the easier task of designing a collision
resistant compression function that only takes inputs of some ﬁxed length.
This has clear beneﬁts. We need no longer seek attacks on SHF1. To validate it, and be assured it is collision
resistant, we need only concentrate on validating shf1 and showing the latter is collisionresistant.
This is one case of an important hashfunction design principle called the MD paradigm [145, 67]. This paradigm
shows how to transform a compression function into a hash function in such a way that collisionresistance of
the former implies collisionresistance of the latter. We are now going to take a closer look at this paradigm.
Let b be an integer parameter called the block length, and v another integer parameter called the chaining
variable length. Let h: / ¦0, 1¦
b+v
→ ¦0, 1¦
v
be a family of functions that we call the compression function.
We assume it is collisionresistant.
Let B denote the set of all strings whose length is a positive multiple of b bits, and let D be some subset of
¦0, 1¦
<2
b
.
Deﬁnition 8.7 A function pad: D → B is called a MDcompliant padding function if it has the following
properties for all M, M
1
, M
2
∈ D:
(1) M is a preﬁx of pad(M)
(2) If [M
1
[ = [M
2
[ then [pad(M
1
)[ = [pad(M
2
)[
(3) If M
1
= M
2
then the last block of pad(M
1
) is diﬀerent from the last block of pad(M
2
).
A block, above, consists of b bits. Remember that the output of pad is in B, meaning is a sequence of bbit
blocks. Condition (3) of the deﬁnition is saying that if two messages are diﬀerent then, when we apply pad to
them, we end up with strings that diﬀer in their ﬁnal blocks.
An example of a MDcompliant padding function is shapad. However, there are other examples as well.
Now let IV be a vbit value called the initial vector. We build a family H: / D → ¦0, 1¦
v
from h and pad as
illustrated in Figure 8.7. Notice that SHF1 is such a family, built from h = shf1 and pad = shapad. The main
fact about this method is the following.
146 Goldwasser and Bellare
H(K, M)
y ← pad(M)
Parse y as M
1
M
2
 M
n
where [M
i
[ = b (1 ≤ i ≤ n)
V ← IV
for i = 1, . . . , n do
V ← h(K, M
i
V )
Return V
Adversary A
h
(K)
Run A
H
(K) to get its output (x
1
, x
2
)
y
1
← pad(x
1
) ; y
2
← pad(x
2
)
Parse y
1
as M
1,1
M
1,2
 M
1,n[1]
where [M
1,i
[ = b (1 ≤ i ≤ n[1])
Parse y
2
as M
2,1
M
2,2
 M
2,n[2]
where [M
2,i
[ = b (1 ≤ i ≤ n[2])
V
1,0
← IV ; V
2,0
← IV
for i = 1, . . . , n[1] do V
1,i
← h(K, M
1,i
V
1,i−1
)
for i = 1, . . . , n[2] do V
2,i
← h(K, M
2,i
V
2,i−1
)
if (V
1,n[1]
= V
2,n[2]
OR x
1
= x
2
) return FAIL
if [x
1
[ = [x
2
[ then return (M
1,n[1]
V
1,n[1]−1
, M
2,n[2]
V
2,n[2]−1
)
n ← n[1] // n = n[1] = n[2] since x1 = x2
for i = n downto 1 do
if M
1,i
V
1,i−1
= M
2,i
V
2,i−1
then return (M
1,i
V
1,i−1
, M
2,i
V
2,i−1
)
Figure 8.7: Hash function H deﬁned from compression function h via the MD paradigm, and adversary A
h
for
the proof of Theorem 8.8.
Theorem 8.8 Let h: / ¦0, 1¦
b+v
→ ¦0, 1¦
v
be a family of functions and let H: / D → ¦0, 1¦
v
be built
from h as described above. Suppose we are given an adversary A
H
that attempts to ﬁnd collisions in H. Then
we can construct an adversary A
h
that attempts to ﬁnd collisions in h, and
Adv
cr2kk
H
(A
H
) ≤ Adv
cr2kk
h
(A
h
) . (8.9)
Furthermore, the running time of A
h
is that of A
H
plus the time to perform ([pad(x
1
)[ + [pad(x
2
)[)/b compu
tations of h where (x
1
, x
2
) is the collision output by A
H
.
This theorem says that if h is collisionresistant then so is H. Why? Let A
H
be a practical adversary attacking
H. Then A
h
is also practical, because its running time is that of A
H
plus the time to do some extra computations
of h. But since h is collisionresistant we know that Adv
cr2kk
h
(A
h
) is low. Equation (8.9) then tells us that
Adv
cr2kk
H
(A
H
) is low, meaning H is collisionresistant as well.
Proof of Theorem 8.8: Adversary A
h
, taking input a key K ∈ /, is depicted in Figure 8.7. It runs A
H
on
input K to get a pair (x
1
, x
2
) of messages in D. We claim that if x
1
, x
2
is a collision for H
K
then A
h
will return
a collision for h
K
.
Adversary A
h
computes V
1,n[1]
= H
K
(x
1
) and V
2,n[2]
= H
K
(x
2
). If x
1
, x
2
is a collision for H
K
then we know
that V
1,n[1]
= V
2,n[2]
. Let us assume this. Now, let us look at the inputs to the application of h
K
that yielded
these outputs. If these inputs are diﬀerent, they form a collision for h
K
.
The inputs in question are M
1,n[1]
V
1,n[1]−1
and M
2,n[2]
V
2,n[2]−1
. We now consider two cases. The ﬁrst case
is that x
1
, x
2
have diﬀerent lengths. Item (3) of Deﬁnition 8.7 tells us that M
1,n[1]
= M
2,n[2]
. This means that
M
1,n[1]
V
1,n[1]−1
= M
2,n[2]
V
2,n[2]−1
, and thus these two points form a collision for h
K
that can be output by
A
h
.
The second case is that x
1
, x
2
have the same length. Item (2) of Deﬁnition 8.7 tells us that y
1
, y
2
have the same
length as well. We know this length is a positive multiple of b since the range of pad is the set B, so we let n be
Cryptography: Lecture Notes 147
Exp
cr2hk
H
(A)
K
$
← / ; Run A
H
K
()
()
If there exist x
1
, x
2
such that
– x
1
= x
2
and x
1
, x
2
∈ D
– Oracle queries x
1
, x
2
were made by A
– The answers returned by the oracle were the same
then return 1 else return 0
Exp
cr1hk
H
(A)
(x
1
, st)
$
← A() ; K
$
← / ; Run A
H
K
()
(st)
If there exists x
2
such that
– x
1
= x
2
and x
1
, x
2
∈ D
– Oracle queries x
1
, x
2
were made by A
– The answers returned by the oracle were the same
then return 1 else return 0
Figure 8.8: Experiments deﬁning security notions for two kinds of collisionresistant hash functions under
hiddenkey attack.
the number of bbit blocks that comprise y
1
and y
2
. Let V
n
denote the value V
1,n
, which by assumption equals
V
2,n
. We compare the inputs M
1,n
V
1,n−1
and M
2,n
V
2,n−1
that under h
K
yielded V
n
. If they are diﬀerent,
they form a collision for h
K
and can be returned by A
h
. If, however, they are the same, then we know that
V
1,n−1
= V
2,n−1
. Denoting this value by V
n−1
, we now consider the inputs M
1,n−1
V
1,n−2
and M
2,n−1
V
2,n−2
that under h
K
yield V
n−1
. The argument repeats itself: if these inputs are diﬀerent we have a collision for h
K
,
else we can step back one more time.
Can we get stuck, continually stepping back and not ﬁnding our collision? No, because y
1
= y
2
. Why is the
latter true? We know that x
1
= x
2
. But item (1) of Deﬁnition 8.7 says that x
1
is a preﬁx of y
1
and x
2
is a
preﬁx of y
2
. So y
1
= y
2
.
We have argued that on any input K, adversary A
h
ﬁnds a collision in h
K
exactly when A
H
ﬁnds a collision
in H
K
. This justiﬁes Equation (8.9). We now justify the claim about the running time of A
h
. The main
component of the running time of A
h
is the time to run A
H
. In addition, it performs a number of computations
of h equal to the number of blocks in y
1
plus the number of blocks in y
2
. There is some more overhead, but
small enough to neglect.
8.6 Collisionresistance under hiddenkey attack
In a hiddenkey attack, the adversary does not get the key K in the postkey attack phase, but instead gets
an oracle for H
K
(). There are again three possible notions of security, analogous to those in Figure 8.3 except
that, in the postkey attack phase, A is not given K but is instead given an oracle for H
K
(). The CR0 notion
however coincides with the one for knownkey attacks since by the time the postkey attack phase is reached, a
cr0adversary has already output both its points, so we get only two new notions. Formal experiments deﬁning
these two notions are given in Figure 8.8.
Deﬁnition 8.9 Let H: / D → R be a hash function and let A be an algorithm. We let
Adv
cr2hk
H
(A) = Pr
Exp
cr2hk
H
(A) = 1
Adv
cr1hk
H
(A) = Pr
Exp
cr1hk
H
(A) = 1
.
148 Goldwasser and Bellare
8.7 Problems
Problem 8.10 Hash functions have sometimes been constructed using a block cipher, and often this has not
gone well. Let E: /¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher and consider constructing H: /(¦0, 1¦
n
)
+
→ ¦0, 1¦
n
by way of the CBC construction: let the hash of M
1
M
m
be Y
m
where Y
0
= 0
n
and Y
i
= E
K
(H
i−1
⊕M
i
) for
i ≥ 1. Here we select K to be some public constant. Show that this hash function is not collisionresistant (no
matter how good is the block cipher E).
Problem 8.11 Let H : / ¦0, 1¦
a
→ ¦0, 1¦
n
be an AU hashfunction family. Construct from H an AU
hashfunction family H
t
: / ¦0, 1¦
2a
→ ¦0, 1¦
2n
.
Problem 8.12 Let H : / ¦0, 1¦
a
→ ¦0, 1¦
n
be an AU hashfunction family. Construct from H an
2
AU
hashfunction family H
t
: /
2
¦0, 1¦
a
→ ¦0, 1¦
2n
.
C h a p t e r 9
Message authentication
In most people’s minds, privacy is the goal most strongly associated to cryptography. But message authentication
is arguably even more important. Indeed you may or may not care if some particular message you send out
stays private, but you almost certainly do want to be sure of the originator of each message that you act on.
Message authentication is what buys you that guarantee.
Message authentication allows one party—the Sender—to send a message to another party—the Receiver—
in such a way that if the message is modiﬁed en route, then the Receiver will almost certainly detect this.
Message authentication is also called “dataorigin authentication,” since it authenticates the pointoforigin for
each message. Message authentication is said to protect the “integrity” of messages, ensuring that each that is
received and deemed acceptable is arriving in the same condition that it was sent out—with no bits inserted,
missing, or modiﬁed.
Here we’ll be looking at the sharedkey setting for message authentication (remember that message authentica
tion in the publickey setting is the problem addressed by digital signatures). In this case the Sender and the
Receiver share a secret key, K, which they’ll use to authenticate their transmissions. We’ll deﬁne the message
authentication goal and we’ll describe some diﬀerent ways to achieve it. As usual, we’ll be careful to pin down
the problem we’re working to solve.
9.1 The setting
It is often crucial for an agent who receives a message to be sure who sent it out. If a hacker can call into
his bank’s central computer and produce deposit transactions that appear to be coming from a branch oﬃce,
easy wealth is just around the corner. If an unprivilaged user can interact over the network with his company’s
mainframe in such a way that the machine thinks that the packets it is receiving are coming from the system
administrator, then all the machine’s access control mechanisms are for naught. An Internet interlouper who
can provide bogus ﬁnancial data to online investors by making the data seem to have come from a reputable
source when it does not might induce an enemy to make a disasterous investment.
In all of these cases the risk is that an adversary A—the Forger—will create messages that look like they come
from some other party, S, the (legitimate) Sender. The attacker will send a message M to R—the Receiver—
under S’s identity. The Receiver R will be tricked into believing that M origiates with S. Because of this wrong
belief, R may act on M in a way that is somehow inappropriate.
The rightful Sender S could be one of many diﬀerent kinds of entities, like a person, a corporation, a network
address, or a particular process running on a particular machine. As the receiver R, you might know that it
is S that supposedly sent you the message M for a variety of reasons. For example, the message M might be
tagged by an identiﬁer which somehow names S. Or it might be that the manner in which M arrives is a route
149
150 Goldwasser and Bellare
S R
M
M or
REJECT
M'
A
S R
K K
M
Figure 9.1: A messageauthentication scheme. Sender S wants to send a message M to receiver R in such a
way that R will be sure that M came from S. They share key K. Adversary A controls the communication
channel. Sender S sends an authenticated version of M, M
t
, which adversary A may or may not pass on. On
receipt of a message M, receiver R either recovers a message that S really sent, or else R gets an indication
that M is inauthentic.
MAC VF
ACCEPT
or
REJECT
S R
M
Tag
A
K K
Tag
M M
Figure 9.2: A message authentication code (MAC). A MAC is a specialcase of a messageauthentication scheme,
where the authenticated message is the original message M together with a tag Tag. The adversary controls
the channel, so we can not be sure that M and Tag reach their intended destination. Instead, the Receiver gets
M, T . The Receiver will apply a veriﬁcation function to K, M and T to decide if M should be regarded as the
transmitted message, M, or as the adversary’s creation.
currently dedicated to servicing traﬃc from S.
Here we’re going to be looking at the case when S and R already share some secret key, K. How S and R came
to get this shared secret key is a separate question, one that we deal with it in Chapter 11.
Authenticating messages may be something done for the beneﬁt of the Receiver R, but the Sender S will
certainly need to help out—he’ll have to authenticate each of his messages. See Figure 9.1. To authenticate
a message M using the key K the legitimate Sender will apply some “messageauthenticating algorithm” o
to K and M, giving rise to an “authenticated message” M
t
. The sender S will transmit the authenticated
message M
t
to the receiver R. Maybe the Receiver will get R—and then again, maybe not. The problem is
that an adversary A controls the channel on which messages are being sent. Let’s let M be the message that
the Receiver actually gets. The receiver R, on receipt of M, will apply some “messagerecovery algorithm” to K
and M. We want that this should yield one of two things: (1) the original message M, or else (2) an indication
that M should not be regarded as authentic.
Often the authenticated message M
t
is just the original message M together with a ﬁxedlength “tag.” The tag
serves to validate the authenticity of the message M. In this case we call the messageauthentication scheme a
message authentication code, or MAC. See Figure 9.2
When the Receiver decides that a message he has received is inauthentic what should he do? The Receiver
might want to just ignore the bogus message: perhaps it was just noise on the channel. Or perhaps taking
action will do more harm than good, opening up new possiblities for denialofservice attacks. Or the Receiver
may want to take more decisive actions, like tearing down the channel on which the message was received and
informing some human being of apparent mischief. The proper course of action is dictated by the circumstances
and the security policy of the Receiver.
Adversarial success in violating the authenticity of messages demands an active attack: to succeed, the adversary
Cryptography: Lecture Notes 151
has to get some bogus data to the receiver R. If the attacker just watches S and R commuicate she hasn’t won
this game. In some communication scenerios it may be diﬃcult for the adversary to get her own messages to
the receiver R—it might not really control the communication channel. For example, it may be diﬃcult for an
adversary to drop its own messages onto a dedicated phone line or network link. In other environments it may
be trivial, no harder than dropping a packet onto the Internet. Since we don’t know what are the characteristics
of the Sender—Receiver channel it is best to assume the worst and think that the adversary has plenty of power
over the communications media (and even some power over inﬂuencing what messages are legitimately sent
out).
We wish to emphasize that the authentication problem is very diﬀerent from the encryption problem. We are
not worried about secrecy of the message M. Our concern is in whether the adversary can proﬁt by injecting
new messages into the communications stream, not whether she undersands the contents of the communication.
Indeed, as we shall see, encryption provides no ready solution for message authentication.
9.2 Privacy does not imply authenticity
We know how to encrypt data so as to provide privacy, and something often suggested (and done) is to encrypt
as a way to provide data authenticity, too. Fix a symmetric encryption scheme oc = (/, c, T), and let parties
S and R share a key K for this scheme. When S wants to send a message M to R, she encrypts it, transferring
a ciphertext M
t
= C generated via C
$
← c
K
(M). The receiver B decrypts it and, if it “makes sense”, he regards
the recovered message M = T
K
(C) as authentic.
The argument that this works is as follows. Suppose, for example, that S transmits an ASCII message M
100
which indicates that R should please transfer $100 from the checking account of S to the checking account of
some other party, A. The adversary A wants to change the amount from the $100 to $900. Now if M
100
had
been sent in the clear, A can easily modify it. But if M
100
is encrypted so that ciphertext C
100
is sent, how
is A to modify C
100
so as to make S recover the diﬀerent message M
900
? The adversary A does not know the
key K, so she cannot just encrypt M
900
on her own. The privacy of C
100
already rules out that C
100
can be
proﬁtably tampered with.
The above argument is completely wrong. To see the ﬂaws let’s ﬁrst look at a counterexample. If we encrypt
M
100
using a one time pad, then all the adversary has to do is to XOR the byte of the ciphertext C
100
which
encodes the character “1” with the XOR of the bytes which encode “1” and “9”. That is, when we onetime pad
encrypt, the privacy of the transmission does not make it diﬃcult for the adversary to tamper with ciphertext
so as to produce related ciphertexts.
There are many possible reactions to this counterexample. Let’s look at some.
What you should not conclude is that onetime pad encryption is unsound. The goal of encryption was to
provide privacy, and nothing we have said has suggested that onetime pad encryption does not. Faulting an
encryption scheme for not providing authenticity is like faulting a car for not being able to ﬂy. There is no
reason to expect a tool designed to solve one problem to be eﬀective at solving another. You need an airplane,
not a car, if you want to ﬂy.
You should not conclude that the example is contrived, and that you’d fare far better with some other encryp
tion method. Onetimepad encryption is not at all contrived. And other methods of encryption, like CBC
encryption, are only marginally better at protecting message integrity. This will be explored in the exercises.
You should not conclude that the failure stemmed from a failure to add “redundancy” before the message was
encrypted. Adding redundancy is something like this: before the Sender S encypts his data he pads it with some
known, ﬁxed string, like 128 bits of zeros. When the receiver decrypts the ciphertext he checks whether the
decrypted string ends in 128 zeros. He rejects the transmission if it does not. Such an approach can, and almost
always will, fail. For example, the added redundancy does absolutely nothing in our onetime pad example.
What you should conclude is that encrypting a message was never an appropriate approach for protecting its
authenticity. With hindsight, this is pretty clear. The fact that data is encrypted need not prevent an adversary
from being able to make the receiver recover data diﬀerent from that which the sender had intended. Indeed
with most encryption schemes any ciphertext will decrypt to something, so even a random transmission will
152 Goldwasser and Bellare
cause the receiver to receive something diﬀerent from what the Sender intended, which was not to send any
message at all. Now perhaps the random ciphertext will look like garbage to the receiver, or perhaps not. Since
we do not know what the Receiver intends to do with his data it is impossible to say.
Since encryption was not designed for authenticating messages, it very rarely does. We emphasize this because
the belief that good encryption, perahaps after adding redundancy, already provides authenticity, is not only
voiced, but even printed in books or embedded into security systems.
Good cryptographic design is goaloriented. One must understand and formalize our goal. Only then do we
have the basis on which to design and evaluate potential solutions. Accordingly, our next step is to come up
with a deﬁnition for a messageauthentication scheme and its security.
9.3 Syntax of messageauthentication schemes
A message authentication scheme ´/ = (/, o, 1) is simply a symmetric encryption scheme, consisting of a
triple of algorithms. What is changed is the security goal, which is no longer privacy but authenticity. For this
reason we denote and name the scheme and some of the algorithms diﬀerently. What used to be called the
encryption algorithm is now called the message authenticating algorithm; what used to be called the decryption
algorithm is now called the message recovery algorithm.
As we indicated already, a messageauthentication code (MAC) is the special case of a messageauthentication
scheme in which the authenticated message M
t
consists of M together with a ﬁxedlength string, Tag. Usually
the length of the tag is between 32 and 128 bits. MACs of 32 bits, 64 bits, 96 bits, and 128 bits are common.
It could be confusing, but it is very common practice to call the tag itself a MAC. That is, the scheme itself is
called MAC, but so too is the computed tag.
Deﬁnition 9.1 [MAC] A messageauthentication code Π consists of three algorithms, Π = (/, MAC, VF), as
follows:
• The randomized key generation algorithm / returns a string K. We let Keys(Π) denote the set of all
strings that have nonzero probability of being output by /. The members of this set are called keys. We
write K
$
← / for the operation of executing / and letting K denote the key returned.
• The MACgeneration algorithm MAC, which might be randomized or stateful, takes a key K ∈ Keys(Π)
and a plaintext M ∈ ¦0, 1¦
∗
to return a tag Tag ∈ ¦0, 1¦
∗
∪ ¦⊥¦. We write Tag
$
← MAC
K
(M) to denote
the operation of executing MAC on K and M and letting Tag denote the tag returned.
• The deterministic MACveriﬁcation algorithm VF takes a key K ∈ Keys(oc), a message M ∈ ¦0, 1¦
∗
and
a candidate tag Tag ∈ ¦0, 1¦
∗
to return either 1 (accept) or 0 (reject). We write d ← VF
K
(M, Tag)
to denote the operation of executing VF on K, M and Tag and letting d denote the decision bit returned.
We require that for any key K ∈ Keys(Π) and any message M ∈ ¦0, 1¦
∗
Pr
Tag
$
← MAC
K
(M) : Tag = ⊥ OR VF
K
(M, Tag) = 1
= 1 .
A number τ ≥ 1 is called the taglength associated to the scheme if for any key K ∈ Keys(Π) and any message
M ∈ ¦0, 1¦
∗
Pr
Tag
$
← MAC
K
(M) : Tag = ⊥ OR [Tag[ = τ
= 1 .
Any message authentication code gives rise to an associated message authentication scheme in which the au
thenticated message consists of the message together with the tag. In more detail, if Π = (/, MAC, VF) is a
message authentication code, then its associated message authentication scheme is ´/ = (/, o, 1) where the
keygeneration algorithm remains unchanged and
Cryptography: Lecture Notes 153
Algorithm o
K
(M)
Tag
$
← MAC
K
(M)
M
t
← (M, Tag)
Return M
t
Algorithm 1
K
(M
t
)
Parse M
t
as (M, Tag)
If VF
K
(M, Tag) = 1 then return 1 else return 0
Let us make a few comments about Deﬁnition 9.1. First, we emphasize that, so far, we have only deﬁned MAC
and messageauthentication scheme “syntax”—we haven’t yet said anything formal about security. Of course
any viable messageauthentication scheme will require some security properties. We’ll get there in a moment.
But ﬁrst we needed to pin down exactly what type of objects we’re talking about.
Note that our deﬁnitions don’t permit stateful messagerecovery or stateful MACverﬁcation. Stateful functions
for the Receiver can be problematic because of the possiblity of messages not reaching their destiation—it is
too easy for the Receiver to be in a state diﬀerent from the one that we’d like. All the same, stateful MAC
veriﬁcation functions are essiential for detecting “replay attacks,” and are therefore important tools.
Recall that it was essential for security of an encryption scheme that the encryption algorithm be probabilistic
or stateful—you couldn’t do well at achieving our strong notions of privacy with a determinisitic encryption
algorithm. But this isn’t true for message authentication. It is possible (and even common) to have secure
message authentication schemes in which the messageauthenticating algorithm is deterministic or stateless,
and to have secure messageauthentication codes in which the MACgeneration algorithm is deterministic or
stateless.
When the MACgeneration algorithm is deterministic and stateless, MAC veriﬁcation is invariably accomplished
by having the Veriﬁer compute the correct tag for the received message M (using the MACgeneration function)
and checking that it matches the received tag. That is, the MACveriﬁcation function is simply the following:
algorithm VF
K
(M, Tag)
Tag
t
← MAC
K
(M)
if (Tag = Tag
t
and Tag
t
= ⊥) then return 1 else return 0.
For a deterministic MAC we need only specify the keygeneration function and the MACgeneration function:
the MACveriﬁcation function is then understood to be the one just described. That is, a deterministic MAC
may be speciﬁed with a pair of functions, Π = (/, MAC), and not a triple of functions, Π = (/, MAC, VF),
with the understanding that one can later refer to VF and it is the canonical algorithm depicted above.
9.4 A deﬁnition of security for MACs
Let’s concentrate on MACs. We begin with a discussion of the issues and then state a formal deﬁnition.
9.4.1 Towards a deﬁnition of security
The goal that we seek to achieve with a MAC is to be able to detect any attempt by the adversary to modify
the transmitted data. We don’t want the adversary to be able to produce messages that the Receiver will deem
authentic—only the Sender should be able to do this. That is, we don’t want that the adversary A to be able
to create a pair (M, Tag) such that VF
K
(M, Tag) = 1, but M did not originate with the Sender S. Such a pair
(M, Tag) is called a forgery. If the adversary can make such a pair, she is said to have forged.
In some discussions of security people assume that the adversary’s goal is to recover the secret key K. Certainly
if it could do this, it would be a disaster, since it could then forge anything. It is important to understand,
however, that an adversary might be able to forge without being able to recover the key, and if all we asked was
for the adversary to be unable to recover the key, we’d be asking too little. Forgery is what counts, not key
recovery.
Now it should be admitted right away that some forgeries might be useless to the adversary. For example,
maybe the adversary can forge, but it can only forge strings that look random; meanwhile, suppose that all
“good” messages are supposed to have a certain format. Should this really be viewed as a forgery? The answer
154 Goldwasser and Bellare
is yes. If checking that the message is of a certain format was really a part of validitating the message, then that
should have been considered as part of the messageauthentication scheme. In the absence of this, it is not for
us to make assumptions about how the messages are formatted or interpreted. We really have no idea. Good
protocol design means the security is guaranteed no matter what is the application. Asking that the adversary
be unable to forge “meaningful” messages, whatever that might mean, would again be asking too little.
In our adversary’s attempt to forge a message we could consider various attacks. The simplest setting is that
the adversary wants to forge a message even though it has never seen any transmission sent by the Sender. In
this case the adversary must concoct a pair (M, Tag) which passes the veriﬁcation test, even though it hasn’t
obtained any information to help. This is called a nomessage attack. It often falls short of capturing the
capabilities of realistic adversaries, since an adversary who can inject bogus messages onto the communications
media can probably see valid messages as well. We should let the adversary use this information.
Suppose the Sender sends the transmission (M, Tag) consisting of some message M and its legitimate tag Tag.
The Receiver will certainly accept this—we demanded that. Now at once a simple attack comes to mind: the
adversary can just repeat this transmission, (M, Tag), and get the Receiver to accept it once again. This attack
is unavoidable, so far, in that we required in the syntax of a MAC for the MACveriﬁcation functions to be
stateless. If the Veriﬁer accepted (M, Tag) once, he’s bound to do it again.
What we have just described is called a replay attack. The adversary sees a valid (M, Tag) from the Sender,
and at some later point in time it retransmits it. Since the Receiver accepted it the ﬁrst time, he’ll do so again.
Should a replay attack count as a valid forgery? In real life it usually should. Say the ﬁrst message was “Transfer
$1000 from my account to the account of party A.” Then party A may have a simple way to enriching herself:
it just keeps replaying this same MAC’ed message, happily watching her bank balance grow.
It is important to protect against replay attacks. But for the moment we will not try to do this. We will say that
a replay is not a valid forgery; to be valid a forgery must be of a message M which was not already produced by
the Sender. We will see later that we can always achieve security against replay attacks by simple means; that
is, we can take any MAC which is not secure against replay attacks and modify it—after making the Veriﬁer
stateful—so that it will be secure against replay attacks. At this point, not worrying about replay attacks results
in a cleaner problem deﬁnition. And it leads us to a more modular protocoldesign approach—that is, we cut
up the problem into sensible parts (“basic security” and then “replay security”) solving them one by one.
Of course there is no reason to think that the adversary will be limited to seeing only one example message.
Realistic adversaries may see millions of authenticated messages, and still it should be hard for them to forge.
For some MACs the adversary’s ability to forge will grow with the number q
s
of legitimate messageMAC pairs
it sees. Likewise, in some sucurity systems the number of valid (M, Tag) pairs that the adversary can obtain
may be architecturally limited. (For example, a stateful Signer may be unwilling to MAC more than a certain
number of messages.) So when we give our quantitative treatment of security we will treat q
s
as an important
adversarial resource.
How exactly do all these tagged messages arise? We could think of there being some distribution on messages that
the Sender will authenticate, but in some settings it is even possible for the adversary to inﬂuence which messages
are tagged. In the worst case, imagine that the adversary itself chooses which messages get authenticated. That
is, the adversary chooses a message, gets its MAC, chooses another message, gets its MAC, and so forth. Then
it tries to forge. This is called an adaptive chosenmessage attack. It wins if it succeds in forging the MAC of a
message which it has not queried to the sender.
At ﬁrst glance it may seem like an adaptive chosenmessage attack is unrealisticly generous to our adversary;
after all, if an adversary could really obtain a valid MAC for any message it wanted, wouldn’t that make moot
the whole point of authenticting messages? In fact, there are several good arguments for allowing the adversary
such a strong capability. First, we will see examples—higherlevel protocols that use MACs—where adaptive
chosenmessage attacks are quite realistic. Second, recall our general principles. We want to design schemes
which are secure in any usage. This requires that we make worstcase notions of security, so that when we err in
realistically modelling adversarial capabilities, we err on the side of caution, allowing the adversary more power
than it might really have. Since eventually we will design schemes that meet our stringent notions of security,
we only gain when we assume our adversary to be strong.
As an example of a simple scenerio in which an adaptive chosenmessage attack is realistic, imagine that the
Cryptography: Lecture Notes 155
A
M
MACGeneration
Oracle
MAC
K
(M)
MAC
K
(
.
)
VF
K
(
.
)
MACVerification
Oracle
M
VF
K
(M)
Figure 9.3: The model for a message authentication code. Adversary A has access to a MACgeneration oracle
and a MACveriﬁcation oracle. The adversary wants to get the MACveriﬁcation oracle to accept some (M, Tag)
for which it didn’t earlier ask the MACgeneration oracle for M.
Sender S is forwarding messages to a Receiver R. The Sender receives messages from any number of third
parties, A
1
, . . . , A
n
. The Sender gets a piece of data M from party A
i
along a secure channel, and then the
Sender transmits to the Receiver 'i`MMAC
K
('i`M). This is the Sender’s way of attesting to the fact that
he has received message M from party A
i
. Now if one of these third parties, say A
1
, wants to play an adversarial
role, it will ask the Sender to forward its adaptivelychosen messages M
1
, M
2
, . . . to the Reciever. If, based on
what it sees, it can learn the key K, or even if it can learn to forge message of the form '2`M, so as to produce
a valid '2`MMAC
K
('2`M), then the intent of the protocol will have been defeated, even though most it
has correctly used a MAC.
So far we have said that we want to give our adversary the ability to obtain MACs for messages of her choosing,
and then we want to look at whether or not it can forge: produce a valid (M, Tag) where it never asked the
Sender to MAC M. But we should recognize that a realistic adversary might be able to produce lots of candidate
forgeries, and it may be content if any of these turn out to be valid. We can model this possiblity by giving the
adversary the capability to tell if a prospective (M, Tag) pair is valid, and saying that the adversary forges if it
ever ﬁnds an (M, Tag) pair that is but M was not MACed by the Sender.
Whether or not a real adversary can try lots of possible forgeries depends on the context. Suppose the Veriﬁer
is going to tear down a connection the moment he detects an invalid tag. Then it is unrealistic to try to use
this Veriﬁer to help you determine if a candidate pair (M, Tag) is valid—one mistake, and you’re done for. In
this case, thinking of there being a single attempt to forge a message is quite adequtate.
On the other hand, suppose that a Veriﬁer just ignores any improperly tagged message, while it responds in
some noticably diﬀerent way if it receives a properly authenticated message. In this case a quite reasonable
adversarial strategy may be ask the Veriﬁer about the validity of a large number of candidate (M, Tag) pairs.
The adversary hopes to ﬁnd at least one that is valid. When the adversary ﬁnds such an (M, Tag) pair, we’ll
say that it has won.
Let us summarize. To be fully general, we will give our adversary two diﬀerent capabities. The ﬁrst adversarial
capaiblity is to obtain a MAC M for any message that it chooses. We will call this a signing query. The
adversary will make some number of them, q
s
. The second adversarial capability is to ﬁnd out if a particular
pair (M, Tag) is valid. We will call this a veriﬁcation query. The adversary will make some number of them,
q
v
. Our adversary is said to succeed—to forge—if it ever makes a veriﬁcation query (M, Tag) and gets a return
value of 1 (accept) even though the message M is not a message that the adversary already knew a tag for by
viture of an earlier signing query. Let us now proceed more formally.
9.4.2 Deﬁnition of security
Let ´/ = (/, MAC, VF) be an arbitrary message authentication scheme. We will formalize a quantitative
notion of security against adpative chosenmessage attack. We begin by describing the model.
156 Goldwasser and Bellare
We distill the model from the intuition we have described above. There is no need, in the model, to think of the
Sender and the Veriﬁer as animate entities. The purpose of the Sender, from the adversary’s point of view, is to
authenticate messages. So we will embody the Sender as an oracle that the adversray can use to authenticate
any message M. This “signing oracle,” as we will call it, is our way to provide the adversary blackbox access
to the function MAC
K
(). Likewise, the purpose of the Veriﬁer, from the adversary’s point of view, is to have
something to whom to send attempted forgeries. So we will embody the Veriﬁer as an oracle that the adversray
can use to see if a candidate pair (M, Tag) is valid. This “veriﬁcation oracle,” as we will call it, is our way
to provide the adversary blackbox access to the function VF
K
(). Thus, when we become formal, the cast of
characters—the Sender, Veriﬁer, and Adversary—gets reduced to just the adversry, running with her oracles.
The Sender and Veriﬁer have vanished.
Deﬁnition 9.2 [MAC Security] Let Π = (/, MAC, VF) be a message authentication code, and let A be an
adversary. We consider the following experiment:
Experiment Exp
ufcma
Π
(A)
K
$
← /
Run A
MAC
K
(),VF
K
(,)
If A made a veriﬁcation query (M, Tag) such that the following are true
– The veriﬁcation oracle returned 1
– A did not, prior to making veriﬁcation query (M, Tag),
make signing query M
Then return 1 else return 0
The ufcma advantage of A is deﬁned as
Adv
ufcma
Π
(A) = Pr
Exp
ufcma
Π
(A) = 1
.
Let us discuss the above deﬁnition. Fix a MAC scheme Π. Then we associate to any adversary A its “advantage,”
or “success probability.” We denote this value as Adv
ufcma
Π
(A). It’s just the chance that A manages to forge.
The probability is over the choice of key K, any probabilistic choices that MAC might make, and the probabilistic
choices, if any, that the adversary A makes.
As usual, the advantage that can be achieved depends both on the adversary strategy and the resources it uses.
Informally, Π is secure if the advantage of a practical adversary is low.
As usual, there is a certain amount of arbitrariness as to which resources we measure. Certainly it is important
to separate the oracle queries (q
s
and q
v
) from the time. In practice, signing queries correspond to messages
sent by the legitimate sender, and obtaining these is probably more diﬃcult than just computing on one’s own.
Veriﬁcation queries correspond to messages the adversary hopes the Veriﬁer will accept, so ﬁnding out if it does
accept these queries again requires interaction. Some system architectures may eﬀectively limit q
s
and q
v
. No
system architecture can limit t— that is limited primarilly by the adversary’s budget.
We emphasize that there are contexts in which you are happy with a MAC that makes forgery impractical when
q
v
= 1 and q
s
= 0 (an “impersonation attack”) and there are contexts in which you are happy when forgery is
imporactical when q
v
= 1 and q
s
= 1 (a “substitution attack”). But it is perhaps more common that you’d like
for forgery to be impractical even when q
s
is large, like 2
50
, and when q
v
is large, too.
We might talk of the total length of an adversary’s MACgeneration oracle queries, which is the sum of the
lengths of all messages it queries to this oracle. When we say this value is at most µ
s
we mean it is so across
all possible coins of the adversary and all possible answers returned by the oracle. We might talk of the total
length of an adversary’s MACveriﬁcation oracle queries, which is the sum of the lengths of all messages in the
queries its makes to its MACveriﬁcation oracle. (Each such query is a pair, but we count only the length of
the message). The same conventions apply.
Naturally the key K is not directly given to the adversary, and neither are any random choices or counter used
by the MACgeneration algorithm. The adversary sees these things only to the extent that they are reﬂected
in the answers to her oracle queries.
Cryptography: Lecture Notes 157
9.5 Examples
Let us examine some example message authentication codes and use the deﬁnition to assess their strengths and
weaknesses. We ﬁx a PRF F: ¦0, 1¦
k
¦0, 1¦
→ ¦0, 1¦
L
. Our ﬁrst scheme Π
1
= (/, MAC) is a deterministic,
stateless MAC, so that we specify only two algorithms, the third being the canonical associated veriﬁcation
algorithm discussed above. The keygeneration algorithm simply picks at random a kbit key K and returns it,
while the MACgeneration algorithm works as follows:
algorithm MAC
K
(M)
if ([M[ mod = 0 or [M[ = 0) then return ⊥
Break M into bit blocks M = M[1] . . . M[n]
for i = 1, . . . , n do y
i
← F
K
(M[i])
Tag ← y
1
⊕ ⊕y
n
return Tag
Now let us try to assess the security of this message authentication code.
Suppose the adversary wants to forge the tag of a certain given message M. A priori it is unclear this can be
done. The adversary is not in possession of the secret key K, so cannot compute F
K
and hence will have a hard
time computing Tag. However, remember that the notion of security we have deﬁned says that the adversary
is successful as long as it can produce a correct tag for some message, not necessarily a given one. We now
note that even without a chosenmessage attack (in fact without seeing any examples of correctly tagged data)
the adversary can do this. It can choose a message M consisting of two equal blocks, say M = xx where x is
some bit string, set Tag ← 0
L
, and make veriﬁcation query (M, Tag). Notice that VF
K
(M, Tag) = 1 because
F
K
(x)⊕F
K
(x) = 0
L
= Tag. So the adversary is successful. In more detail, the adversary is:
Adversary A
MAC
K
(),VF
K
(,)
1
Let x be some bit string
M ← xx
Tag ← 0
L
d ← VF
K
(M, Tag)
Then Adv
ufcma
Π
1
(A
1
) = 1. Furthermore A
1
makes no signing oracle queries, uses t = O( + L) time, and its
veriﬁcation query has length 2bits, so it is very practical.
There are many other attacks. For example we note that
Tag = F
K
(M[1])⊕F
K
(M[2])
is not only the tag of M[1]M[2] but also the tag of M[2]M[1]. So it is possible, given the tag of a message, to
forge the tag of a new message formed by permuting the blocks of the old message. We leave it to the reader
to specify the corresponding adversary and compute its advantage.
Let us now try to strengthen the scheme to avoid these attacks. Instead of applying F
K
to a data block, we
will ﬁrst preﬁx the data block with its index. To do this we pick some parameter m with 1 ≤ m ≤ − 1,
and write the index as an mbit string. The MACgeneration algorithm of the deterministic, stateless MAC
Π
1
= (/, MAC) is as follows:
algorithm MAC
K
(M)
l ← −m
if ([M[ mod l = 0 or [M[ = 0 or [M[/l ≥ 2
m
) then return ⊥
Break M into l bit blocks M = M[1] . . . M[n]
for i = 1, . . . , n do y
i
← F
K
(NtS
m
(i)M[i])
Tag ← y
1
⊕ ⊕y
n
return Tag
As before, the veriﬁcation algorithm is the canonical one that simply recomputes the tag using MAC and checks
whether it is correct.
158 Goldwasser and Bellare
As the code indicates, we divide M into blocks, but the size of each block is smaller than in our previous
scheme: it is now only l = − m bits. Then we preﬁx the ith message block with the value i itself, the block
index, written in binary as a string of length exactly m bits. It is to this padded block that we apply F
K
before
taking the XOR.
Note that encoding of the block index i as an mbit string is only possible if i < 2
m
. This means that we
cannot authenticate a message M having more 2
m
blocks. This explains the conditions under which the MAC
generation algorithm returns ⊥. However this is hardly a restriction in practice since a reasonable value of m,
like m = 32, is large enough that typical messages fall in the message space.
Anyway, the question we are really concerned with is the security. Has this improved with respect to Π
1
? Begin
by noticing that the attacks we found on Π
1
no longer work. For example if x is an − m bit string and we
let M = xx then its tag is not likely to be 0
L
. (This would happen only if F
K
(NtS
m
(1)x) = F
K
(NtS
m
(2)x)
which is unlikely if F is a good PRF and impossible if F is a block cipher, since every instance of a block
cipher is a permutation.) Similar arguments show that the second attack discussed above, namely that based
on permuting of message blocks, also has low success against the new scheme. Why? In the new scheme, if
M[1], M[2] are strings of length −m, then
MAC
K
(M[1]M[2]) = F
K
(NtS
m
(1)M[1])⊕F
K
(NtS
m
(2)M[2])
MAC
K
(M[2]M[1]) = F
K
(NtS
m
(1)M[2])⊕F
K
(NtS
m
(2)M[1]) .
These are unlikely to be equal for the same reasons discussed above. As an exercise, a reader might upper
bound the probability that these values are equal in terms of the value of the advantage of F at appropriate
parameter values.
However, Π
2
is still insecure. The attack however require a more nontrivial usage of the chosenmessage
attacking ability. The adversary will query the tagging oracle at several related points and combine the responses
into the tag of a new message. We call it A
2
–
Adversary A
MAC
K
()
2
Let a
1
, b
1
be distinct, −m bit strings
Let a
2
, b
2
be distinct −m bit strings
Tag
1
← MAC
K
(a
1
a
2
) ; Tag
2
← MAC
K
(a
1
b
2
) ; Tag
3
← MAC
K
(b
1
a
2
)
Tag ← Tag
1
⊕Tag
2
⊕Tag
3
d ← VF
K
(b
1
b
2
, Tag)
We claim that Adv
ufcma
Π
2
(A
2
) = 1. Why? This requires two things. First that VF
K
(b
1
b
2
, Tag) = 1, and second
that b
1
b
2
was never a query to MAC
K
() in the above code. The latter is true because we insisted above that
a
1
= b
1
and a
2
= b
2
, which together mean that b
1
b
2
∈ ¦a
1
a
2
, a
1
b
2
, b
1
a
2
¦. So now let us check the ﬁrst claim.
We use the deﬁnition of the tagging algorithm to see that
Tag
1
= F
K
(NtS
m
(1)a
1
)⊕F
K
(NtS
m
(2)a
2
)
Tag
2
= F
K
(NtS
m
(1)a
1
)⊕F
K
(NtS
m
(2)b
2
)
Tag
3
= F
K
(NtS
m
(1)b
1
)⊕F
K
(NtS
m
(2)a
2
) .
Now look how A
2
deﬁned Tag and do the computation; due to cancellations we get
Tag = Tag
1
⊕Tag
2
⊕Tag
3
= F
K
(NtS
m
(1)b
1
)⊕F
K
(NtS
m
(2)b
2
) .
This is indeed the correct tag of b
1
b
2
, meaning the value Tag
t
that VF
K
(b
1
b
2
, Tag) would compute, so the latter
algorithm returns 1, as claimed. In summary we have shown that this scheme is insecure.
It turns out that a slight modiﬁcation of the above, based on use of a counter or random number chosen by the
MAC algorithm, actually yields a secure scheme. For the moment however we want to stress a feature of the
above attacks. Namely that these attacks did not cryptanalyze the PRF F. The cryptanalysis of the message
Cryptography: Lecture Notes 159
authentication schemes did not care anything about the structure of F; whether it was DES, AES, or anything
else. They found weaknesses in the message authentication schemes themselves. In particular, the attacks work
just as well when F
K
is a random function, or a “perfect” cipher. This illustrates again the point we have been
making, about the distinction between a tool (here the PRF) and its usage. We need to make better usage of
the tool, and in fact to tie the security of the scheme to that of the underlying tool in such a way that attacks
like those illustrated here are provably impossible under the assumption that the tool is secure.
9.6 The PRFasaMAC paradigm
Pseudorandom functions make good MACs, and constructing a MAC in this way is an excellent approach. Here
we show why PRFs are good MACs, and determine the concrete security of the underlying reduction. The
following shows that the reduction is almost tight—security hardly degrades at all.
Let F: Keys D → ¦0, 1¦
τ
be a family of functions. We deﬁne the associated message authentication code
Π = (/, MAC) via:
algorithm /
K
$
← Keys
return K
algorithm MAC
K
(M)
if (M ∈ D) then return ⊥
Tag ← F
K
(M)
Return Tag
Since this is a deterministic stateless MAC, we have not speciﬁed a veriﬁcation algorithm. It is understood to
be the canonical one discussed above.
Note that when we think of a PRF as a MAC it is important that the domain of the PRF be whatever one
wants as the domain of the MAC. So such a PRF probably won’t be realized as a block cipher. It may have to
be realized by a PRF that allows for inputs of many diﬀerent lengths, since you might want to MAC messages
of many diﬀerent lenghts. As yet we haven’t demonstrated that we can make such PRFs. But we will. Let us
ﬁrst relate the security of the above MAC to that of the PRF.
Proposition 9.3 Let F: Keys D → ¦0, 1¦
τ
be a family of functions and let Π = (/, MAC) be the associated
message authentication code as deﬁned above. Let A by any adversary attacking Π, making q
s
MACgeneration
queries of total length µ
s
, q
v
MACveriﬁcation queries of total length µ
v
, and having running time t. Then
there exists an adversary B attacking F such that
Adv
ufcma
Π
(A) ≤ Adv
prf
F
(B) +
q
v
2
τ
. (9.1)
Furthermore B makes q
s
+q
v
oracle queries of total length µ
s
+µ
v
and has running time t.
Proof: Remember that B is given an oracle for a function f: D → ¦0, 1¦
τ
. It will run A, providing it an
environment in which A’s oracle queries are answered by B.
Adversary B
f
d ← 0 ; S ← ∅
Run A
When A asks its signing oracle some query M:
Answer f(M) to A ; S ← S ∪ ¦M¦
When A asks its veriﬁcation oracle some query (M, Tag):
if f(M) = Tag then
answer 1 to A ; if M ∈ S then d ← 1
else answer 0 to A
Until A halts
return d
160 Goldwasser and Bellare
We now proceed to the analysis. We claim that
Pr
Exp
prf1
F
(B) = 1
= Adv
ufcma
Π
(A) (9.2)
Pr
Exp
prf0
F
(B) = 1
≤
q
v
2
τ
. (9.3)
Subtracting, we get Equation (9.1). Let us now justify the two equations above.
In the ﬁrst case f is an instance of F, so that the simulated environment that B is providing for A is exactly
that of experiment Exp
ufcma
Π
(A). Since B returns 1 exactly when A makes a successful veriﬁcation query, we
have Equation (9.2).
In the second case, A is running in an environment that is alien to it, namely one where a random function is
being used to compute MACs. We have no idea what A will do in this environment, but no matter what, we
know that the probability that any particular veriﬁcation query (M, Tag) with M ∈ S will be answered by 1 is
at most 2
−τ
, because that is the probability that Tag = f(M). Since there are at most q
v
veriﬁcation queries,
Equation (9.3) follows.
9.7 The CBC MACs
A very popular class of MACs is obtained via cipherblock chaining of a given block cipher.
9.7.1 The basic CBC MAC
Here is the most basic scheme in this class.
Scheme 9.4 [Basic CBC MAC] Let E: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher. The basic CBC MAC
Π = (/, MAC) is a deterministic, stateless MAC that has as a parameter an associated message space Messages.
The keygeneration algorithm/ simply picks K via K
$
← ¦0, 1¦
k
and returns K. The MAC generation algorithm
is as follows:
Algorithm MAC
K
(M)
If M ∈ Messages then return ⊥
Break M into nbit blocks M[1] M[m]
C[0] ← 0
n
For i = 1, . . . , m do C[i] ← E
K
(C[i −1]⊕M[i])
Return C[m]
See Figure 9.4 for an illustration with m = 4. The veriﬁcation algorithm VF is the canonical one since this
MAC is deterministic: It just checks, on input (K, M, Tag), if Tag = MAC
K
(M).
As we will see below, the choice of message space Messages is very important for the security of the CBC MAC.
If we take it to be ¦0, 1¦
mn
for some ﬁxed value m, meaning the length of all authenticated messages is the
same, then the MAC is secure. If however we allow the generation of CBCMACs for messages of diﬀerent
lengths, by letting the message space be the set of all strings having length a positive multiple of n, then the
scheme is insecure.
Theorem 9.5 [12] Let E: ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
be a block cipher, let m ≥ 1 be an integer, and let Π
be the CBCMAC of Scheme 9.4 over message space ¦0, 1¦
mn
. Then for any adversary A making at most q
MACgeneration queries, one MACveriﬁcation query and having running time t there exists an adversary B,
making q + 1 oracle queries and having running time t, such that
Adv
ufcma
Π
(A) ≤ Adv
prpcpa
E
(B) +
m
2
q
2
2
n−1
.
Cryptography: Lecture Notes 161
E E E
K K
M
1
M
3
M
2
E K
M
4
K
Tag
Figure 9.4: The CBC MAC, here illustrated with a message M of four blocks, M = M
1
M
2
M
3
M
4
.
Now consider message space that includes strings of diﬀerent lengths. Speciﬁcally, say it includes ¦0, 1¦
n
and
¦0, 1¦
2n
, meaning messges of one or two blocks may be authenticated. Then the following is an adversary that
has advantage one in attacking the CBC MAC:
Adversary A
MAC
K
()
Let A, B be n bit strings
Tag
A
← MAC
K
(A) ; Tag
AB
← MAC
K
(AB)
M ← Tag
A
⊕B ; Tag
M
← Tag
AB
d ← VF
K
(M, Tag
M
)
This adversary makes only two macoracle queries and so is very eﬃcient. Thus the basic CBC MAC is insecure
if one uses it to authenticate messages of varying lengths.
9.7.2 Birthday attack on the CBC MAC
The basic idea behind the attack, due to Preneel and Van Oorschott [169] and (independently) to Krawczyk, is
that internal collisions can be exploited for forgery. The attacks presented in [169] are analyzed assuming the
underlying functions are random, meaning the family to which the CBCMAC transform is applied is Func(l,l)
or Perm(l). Here we do not make such an assumption. This attack is from [12] and works for any family of
permutations. The randomness in the attack (which is the source of birthday collisions) comes from coin tosses
of the forger only. This makes the attack more general. (We focus on the case of permutations because in
practice the CBCMAC is usually based on a block cipher.)
Proposition 9.6 Let l, m, q be integers such that 1 ≤ q ≤ 2
(l+1)/2
and m ≥ 2. Let F: ¦0, 1¦
k
¦0, 1¦
l
→ ¦0, 1¦
l
be a block cipher, and let Π be the CBCMAC of Scheme 9.4 over message space ¦0, 1¦
ml
. Then there is a
forger A making q + 1 oracle queries, running for time O(lmq log q) and achieving
Adv
ufcma
Π
(A) ≥ 0.3
q(q −1)
2
l
.
The time assessment here puts the cost of an oracle call at one unit.
Comparing the above to Theorem 9.5 we see that the upper bound is tight to within a factor of the square of
the number of message blocks.
We now proceed to the proof. We begin with a couple of lemmas. The ﬁrst lemma considers a slight variant
of the usual birthday problem and shows that the “collision probability” is still the same as that of the usual
birthday problem.
162 Goldwasser and Bellare
Lemma 9.7 Let l, q be integers such that 1 ≤ q ≤ 2
(l+1)/2
. Fix b
1
, . . . , b
q
∈ ¦0, 1¦
l
. Then
Pr
∃ i, j such that i = j and b
i
⊕r
i
= b
j
⊕r
j
: r
1
, . . . , r
q
$
← ¦0, 1¦
l
≥ 0.3
q(q −1)
2
l
.
Proof: This is just like throwing q balls into N = 2
l
bins and lower bounding the collision probability, except
that things are “shifted” a bit: the bin assigned to the ith ball is r
i
⊕b
i
rather than r
i
as we would usually
imagine. But with b
i
ﬁxed, if r
i
is uniformly distributed, so is r
i
⊕b
i
. So the probabilities are the same as in the
standard birthday problem of Appendix A.1.
The ﬁrst part of the following lemma states an obvious property of the CBCMAC transform. The item of
real interest is the second part of the lemma, which says that in the case where the underlying function is
a permutation, the CBCMAC transform has the property that output collisions occur if and only if input
collisions occur. This is crucial to the attack we will present later.
Lemma 9.8 Let l, m ≥ 2 be integers and f: ¦0, 1¦
l
→ ¦0, 1¦
l
a function. Suppose α
1
α
m
and β
1
β
m
in
¦0, 1¦
ml
are such that α
k
= β
k
for k = 3, . . . , m. Then
f(α
1
)⊕α
2
= f(β
1
)⊕β
2
⇒ f
(m)
(α
1
α
m
) = f
(m)
(β
1
β
m
) .
If f is a permutation then, in addition, the converse is true:
f
(m)
(α
1
α
m
) = f
(m)
(β
1
β
m
) ⇒ f(α
1
)⊕α
2
= f(β
1
)⊕β
2
.
Proof: The ﬁrst part follows from the deﬁnition of f
(m)
. For the second part let f
−1
denote the inverse of the
permutation f. The CBCMAC computation is easily unraveled using f
−1
. Thus the procedure
y
m
← f
(m)
(α
1
α
m
) ; For k = m downto 3 do y
k−1
← f
−1
(y
k
)⊕α
k
End For ; Return f
−1
(y
2
)
returns f(α
1
)⊕α
2
, while the procedure
y
m
← f
(m)
(β
1
β
m
) ; For k = m downto 3 do y
k−1
← f
−1
(y
k
)⊕β
k
End For ; Return f
−1
(y
2
)
returns f(β
1
)⊕β
2
. But the procedures have the same value of y
m
by assumption and we know that α
k
= β
k
for
k = 3, . . . , m, so the procedures return the same thing.
Proof of Proposition 9.6: Before presenting the forger let us discuss the idea.
The forger A has an oracle g = f
(m)
where f is an instance of F. The strategy of the forger is to make q queries
all of which agree in the last m−2 blocks. The ﬁrst blocks of these queries are all distinct but ﬁxed. The second
blocks, however, are random and independent across the queries. Denoting the ﬁrst block of query n by a
n
and
the second block as r
n
, the forger hopes to have i = j such that f(a
i
)⊕r
i
= f(a
j
)⊕r
j
. The probability of this
happening is lower bounded by Lemma 9.7, but simply knowing the event happens with some probability is
not enough; the forger needs to detect its happening. Lemma 9.8 enables us to say that this internal collision
happens iﬀ the output MAC values for these queries are equal. (This is true because f is a permutation.) We
then observe that if the second blocks of the two colliding queries are modiﬁed by the xor to both of some
value a, the resulting queries still collide. The forger can thus forge by modifying the second blocks in this way,
obtaining the MAC of one of the modiﬁed queries using the second, and outputting it as the MAC of the second
modiﬁed query.
The forger is presented in detail below. It makes use of a subroutine Find that given a sequence σ
1
, . . . , σ
q
of
values returns a pair (i, j) such that σ
i
= σ
j
if such a pair exists, and otherwise returns (0, 0).
Cryptography: Lecture Notes 163
Forger A
g
Let a
1
, . . . , a
q
be distinct lbit strings
For i = 1, . . . , q do r
i
$
← ¦0, 1¦
l
For i = 1, . . . , q do
x
i,1
← a
i
; x
i,2
← r
i
For k = 3, . . . , m do x
i,k
← 0
l
X
i
← x
i,1
. . . x
i,m
σ
i
← g(X
i
)
End For
(i, j) ← Find(σ
1
, . . . , σ
q
)
If (i, j) = (0, 0) then abort
Else
Let a be any lbit string diﬀerent from 0
l
x
t
i,2
← x
i,2
⊕a ; x
t
j,2
← x
j,2
⊕a
X
t
i
← x
i,1
x
t
i,2
x
i,3
x
i,m
; X
t
j
← x
j,1
x
t
j,2
x
j,3
x
j,m
σ
t
i
← g(X
t
i
)
Return (X
t
j
, σ
t
i
)
End If
To estimate the probability of success, suppose g = f
(m)
where f is an instance of F. Let (i, j) be the pair of
values returned by the Find subroutine. Assume (i, j) = (0, 0). Then we know that
f
(m)
(x
i,1
x
i,m
) = f
(m)
(x
j,1
x
j,m
) .
By assumption f is a permutation and by design x
i,k
= x
j,k
for k = 3, . . . , m. The second part of Lemma 9.8
then implies that f(a
i
)⊕r
i
= f(a
j
)⊕r
j
. Adding a to both sides we get f(a
i
)⊕(r
i
⊕a) = f(a
j
)⊕(r
j
⊕a). In other
words, f(a
i
)⊕x
t
i,2
= f(a
j
)⊕x
t
j,2
. The ﬁrst part of Lemma 9.8 then implies that f
(m)
(X
t
i
) = f
(m)
(X
t
j
). Thus σ
t
i
is a correct MAC of X
t
j
. Furthermore we claim that X
t
j
is new, meaning was not queried of the g oracle. Since
a
1
, . . . , a
q
are distinct, the only thing we have to worry about is that X
t
j
= X
j
, but this is ruled out because
a = 0
l
.
We have just argued that if the Find subroutine returns (i, j) = (0, 0) then the forger is successful, so the
success probability is the probability that (i, j) = (0, 0). This happens whenever here is a collision amongst the
q values σ
1
, . . . , σ
q
. Lemma 9.8 tells us however that there is a collision in these values if and only if there is a
collision amongst the q values f(a
1
)⊕r
1
, . . . , f(a
q
)⊕r
q
. The probability is over the random choices of r
1
, . . . , r
q
.
By Lemma 9.7 the probability of the latter is lower bounded by the quantity claimed in the Proposition. We
conclude the theorem by noting that, with a simple implementation of FindCol (say using a balanced binary
search tree scheme) the running time is as claimed.
9.7.3 Length Variability
For simplicity, let us assume throughout this section that strings to be authenticated have length which is a
multiple of l bits. This restriction is easy to dispense with by using simple and wellknown padding methods:
for example, always append a “1” and then append the minimal number of 0’s to make the string a multiple of
l bits.
The CBC MAC does not directly give a method to authenticate messages of variable input lengths. In fact, it
is easy to “break” the CBC MAC construction if the length of strings is allowed to vary. You are asked to do
this in a problem at the end of this chapter. Try it; it is a good exercise in MACs!
One possible attempt to authenticate messages of varying lengths is to append to each string x = x
1
x
m
the number m, properly encoded as the ﬁnal lbit block, and then CBC MAC the resulting string m + 1
blocks. (Of course this imposes a restriction that m < 2
l
, not likely to be a serious concern.) We deﬁne
f
∗
a
(x
1
x
m
) = f
(m+1)
a
(x
1
x
m
m).
164 Goldwasser and Bellare
We show that f
∗
is not a secure MAC. Take arbitrary lbit words b, b
t
and c, where b = b
t
. It is easy to check
that given
(1) t
b
= f
∗
(b),
(2) t
b
= f
∗
(b
t
), and
(3) t
b1c
= f
∗
(b1c)
the adversary has in hand f
∗
(b
t
1t
b
⊕t
b
⊕c) —the authentication tag of a string she has not asked about
before—since this is precisely t
b1c
.
Despite the failure of the above method there are many suitable ways to obtain a PRF that is good on variable
input lengths. We mention three. In each, let F be a ﬁnite function family from and to lbit strings. Let
x = x
1
x
m
be the message to which we will apply f
a
:
(1) Inputlength key separation. Set f
∗
a
(x) = f
(m)
a
m
(x), where a
m
= f
a
(m).
(2) Lengthprepending. Set f
∗
a
(x) = f
(m+1)
a
(mx).
(3) Encrypt last block. Set f
∗
a
1
a
2
(x) = f
a
2
(f
(m)
a
1
(x)).
The ﬁrst two methods are from [12]. The last method appears in an informational Annex of [116], and has now
been analyzed by Petrank and Rackoﬀ [162]. It is the most attractive method of the bunch, since the length of
x is not needed until the end of the computation, facilitating online MAC computation.
9.8 MACing with cryptographic hash functions
Recently there has been a surge of interest in MACing using only cryptographic hash functions like MD5 or
SHA. It is easy to see why. The popular hash functions like MD5 and SHA1 are faster than block ciphers in
software implementation; these software implementations are readily and freely available; and the functions are
not subject to the export restriction rules of the USA and other countries.
The more diﬃcult question is how best to do it. These hash functions were not originally designed to be used
for message authentication. (One of many diﬃculties is that hash functions are not keyed primitives, ie. do not
accommodate naturally the notion of secret key.) So special care must be taken in using them to this end.
A variety of constructions have been proposed and analyzed. (See Tsudik [201] for an early description of
such constructions and Touch [200] for a list of Internet protocols that use this approach. Preneel and van
Oorschot [169, 168] survey existing constructions and point out to some of their properties and weaknesses; in
particular, they present a detailed description of the eﬀect of birthday attacks on iterated constructions. They
also present a heuristic construction, the MDxMAC, based on these ﬁndings. Kaliski and Robshaw [119] discuss
and compare various constructions. Performance issues are discussed in [200, 11].) Recently, one construction
seems to be gaining acceptance. This is the HMAC construction of [18]. In particular HMAC was recently
chosen as the mandatory to implement authentication transform for Internet security protocols and for this
purpose is described in an Internet RFC [127]. HMAC is also used in SSL and SSH, and is a NIST standard.
9.8.1 The HMAC construction
Let H be the hash function. For simplicity of description we may assume H to be MD5 or SHA1; however the
construction and analysis can be applied to other functions as well (see below). H takes inputs of any length
and produces lbit output (l = 128 for MD5 and l = 160 for SHA1). Let Text denote the data to which the
MAC function is to be applied and let K be the message authentication secret key shared by the two parties.
(It should not be larger than 64 bytes, the size of a hashing block, and, if shorter, zeros are appended to bring
its length to exactly 64 bytes.) We further deﬁne two ﬁxed and diﬀerent 64 byte strings ipad and opad as follows
(the “i” and “o” are mnemonics for inner and outer):
Cryptography: Lecture Notes 165
ipad = the byte 0x36 repeated 64 times
opad = the byte 0x5C repeated 64 times.
The function HMAC takes the key K and Text, and produces HMAC
K
(Text) =
H(K ⊕opad, H(K ⊕ipad, Text)) .
Namely,
(1) Append zeros to the end of K to create a 64 byte string
(2) XOR (bitwise exclusiveOR) the 64 byte string computed in step (1) with ipad
(3) Append the data stream Text to the 64 byte string resulting from step (2)
(4) Apply H to the stream generated in step (3)
(5) XOR (bitwise exclusiveOR) the 64 byte string computed in step (1) with opad
(6) Append the H result from step (4) to the 64 byte string resulting from step (5)
(7) Apply H to the stream generated in step (6) and output the result
The recommended length of the key is at least l bits. A longer key does not add signiﬁcantly to the security of
the function, although it may be advisable if the randomness of the key is considered weak.
HMAC optionally allows truncation of the ﬁnal output say to 80 bits.
As a result we get a simple and eﬃcient construction. The overall cost for authenticating a stream Text is close
to that of hashing that stream, especially as Text gets large. Furthermore, the hashing of the padded keys can
be precomputed for even improved eﬃciency.
Note HMAC uses the hash function H as a black box. No modiﬁcations to the code for H are required to
implement HMAC. This makes it easy to use library code for H, and also makes it easy to replace a particular
hash function, such as MD5, with another, such as SHA1, should the need to do this arise.
9.8.2 Security of HMAC
The advantage of HMAC is that its security can be justiﬁed given some reasonable assumptions about the
strength of the underlying hash function.
The assumptions on the security of the hash function should not be too strong, since after all not enough
conﬁdence has been gathered in current candidates like MD5 or SHA. (In particular, we now know that MD5
is not collisionresistant [74]. We will discuss the MD5 case later.) In fact, the weaker the assumed security
properties of the hash function, the stronger the resultant MAC construction.
We make assumptions that reﬂect the more standard existing usages of the hash function. The properties we
require are mainly a certain kind of weak collisionfreeness and some limited “unpredictability.” What is shown
is that if the hash function function has these properties the MAC is secure; the only way the MAC could fail
is if the hash function fails.
The analysis of [18] applies to hash functions of the iterated type, a class that includes MD5 and SHA, and
consists of hash functions built by iterating applications of a compression function CF according to the procedure
of Merkle [144] and Damg˚ard [67]. (In this construction a lbit initial variable IV is ﬁxed, and the output of
H on text x is computed by breaking x into 512 bit blocks and hashing in stages using CF, in a simple way
that the reader can ﬁnd described in many places, e.g. [119].) Roughly what [18] say is that an attacker who
can forge the HMAC function can, with the same eﬀort (time and collected information), break the underlying
hash function in one of the following ways:
(1) The attacker ﬁnds collisions in the hash function even when the IV is random and secret, or
(2) The attacker is able to compute an output of the compression function even with an IV that is random,
166 Goldwasser and Bellare
secret and unknown to the attacker. (That is, the attacker is successful in forging with respect to the
application of the compression function secretly keyed and viewed as a MAC on ﬁxed length messages.)
The feasibility of any of these attacks would contradict some of our basic assumptions about the cryptographic
strength of these hash functions. Success in the ﬁrst of the above attacks means success in ﬁnding collisions, the
prevention of which is the main design goal of cryptographic hash functions, and thus can usually be assumed
hard to do. But in fact, even more is true: success in the ﬁrst attack above is even harder than ﬁnding collisions
in the hash function, because collisions when the IV is secret (as is the case here) is far more diﬃcult than
ﬁnding collisions in the plain (ﬁxed IV) hash function. This is because the former requires interaction with the
legitimate user of the function (in order to generate pairs of input/outputs from the function), and disallows the
parallelism of traditional birthday attacks. Thus, even if the hash function is not collisionfree in the traditional
sense, our schemes could be secure.
Some “randomness” of hash functions is assumed in their usage for key generation and as pseudorandom
generators. (For example the designers of SHA suggested that SHA be used for this purpose [85].) Randomness
of the function is also used as a design methodology towards achieving collisionresistance. The success of the
second attack above would imply that these randomness properties of the hash functions are very poor.
It is important to realize that these results are guided by the desire to have simple to state assumptions and a
simple analysis. In reality, the construction is even stronger than the analyses indicates, in the sense that even
were the hash functions found not to meet the stated assumptions, the schemes might be secure. For example,
even the weak collision resistance property is an overkill, because in actuality, in our constructions, the attacker
must ﬁnd collisions in the keyed function without seeing any outputs of this function, which is signiﬁcantly
harder.
The later remark is relevant to the recently discovered collision attacks on MD5 [74]. While these attacks could
be adapted to attack the weak collisionresistance property of MD5, they do not seem to lead to a breaking of
HMAC even when used with MD5.
9.8.3 Resistance to known attacks
As shown in [169, 19], birthday attacks, that are the basis to ﬁnding collisions in cryptographic hash functions,
can be applied to attack also keyed MAC schemes based on iterated functions (including also CBCMAC, and
other schemes). These attacks apply to most (or all) of the proposed hashbased constructions of MACs. In
particular, they constitute the best known forgery attacks against the HMAC construction. Consideration of
these attacks is important since they strongly improve on naive exhaustive search attacks. However, their
practical relevance against these functions is negligible given the typical hash lengths like 128 or 160. Indeed,
these attacks require the collection of the MAC value (for a given key) on about 2
l/2
messages (where l is the
length of the hash output). For values of l ≥ 128 the attack becomes totally infeasible. In contrast to the
birthday attack on keyless hash functions, the new attacks require interaction with the key owner to produce
the MAC values on a huge number of messages, and then allow for no parallelization. For example, when using
MD5 such an attack would require the authentication of 2
64
blocks (or 2
73
bits) of data using the same key.
On a 1 Gbit/sec communication link, one would need 250,000 years to process all the data required by such an
attack. This is in sharp contrast to birthday attacks on keyless hash functions which allow for far more eﬃcient
and closetorealistic attacks [202].
9.9 Universal hash based MACs
Today the most eﬀective paradigm for fast message authentication is based on the use of “almost universal hash
functions”. The design of these hash functions receives much attention and has resulted in some very fast ones
[36], so that universal hash based MACs are the fastest MACs around.
Cryptography: Lecture Notes 167
9.10 Minimizing assumptions for MACs
As with the other primitives of private key cryptography, the existence of secure message authentication schemes
is equivalent to the existence of oneway functions. That oneway functions yield message authentication schemes
follows from Theorem 5.20 and Proposition 9.3. The other direction is [114]. In summary:
Theorem 9.9 There exists a secure message authentication scheme for message space ¦0, 1¦
∗
if and only if
there exists a oneway function.
9.11 Problems
Problem 9.10 Consider the following variant of the CBC MAC, intended to allow one to MAC messages of
arbitrary length. The construction uses a block cipher E : ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
, which you should assume
to be secure. The domain for the MAC is (¦0, 1¦
n
)
+
. To MAC M under key K compute CBC
K
(M[M[), where
[M[ is the length of M, written in n bits. Of course K has k bits. Show that this MAC is completely insecure:
break it with a constant number of queries.
Problem 9.11 Consider the following variant of the CBC MAC, intended to allow one to MAC messages of
arbitrary length. The construction uses a block cipher E : ¦0, 1¦
k
¦0, 1¦
n
→ ¦0, 1¦
n
, which you should assume
to be secure. The domain for the MAC is (¦0, 1¦
n
)
+
. To MAC M under key (K, K
t
) compute CBC
K
(M)⊕K
t
.
Of course K has k bits and K
t
has n bits. Show that this MAC is completely insecure: break it with a constant
number of queries.
Problem 9.12 Let oc = (/, c, T) be a symmetric encryption scheme and let Π = (/
t
, MAC, VF) be a message
authentication code. Alice (A) and Bob (B) share a secret key K = (K1, K2) where K1
$
← / and K2
$
← /
t
.
Alice wants to send messages to Bob in a private and authenticated way. Consider her sending each of the
following as a means to this end. For each, say whether it is a secure way or not, and brieﬂy justify your answer.
(In the cases where the method is good, you don’t have to give a proof, just the intuition.)
(a) M, MAC
K2
(c
K1
(M))
(b) c
K1
(M, MAC
K2
(M))
(c) MAC
K2
(c
K1
(M))
(d) c
K1
(M), MAC
K2
(M)
(e) c
K1
(M), c
K1
(MAC
K2
(M))
(f ) C, MAC
K2
(C) where C = c
K1
(M)
(g) c
K1
(M, A) where A encodes the identity of Alice; B decrypts the received ciphertext C and checks that
the second half of the plaintext is “A”.
In analyzing these schemes, you should assume that the primitives have the properties guaranteed by their
deﬁnitions, but no more; for an option to be good it must work for any choice of a secure encryption scheme
and a secure message authentication scheme.
Now, out of all the ways you deemed secure, suppose you had to choose one to implement for a network security
application. Taking performance issues into account, do all the schemes look pretty much the same, or is there
one you would prefer?
Problem 9.13 Refer to problem 4.3. Given a block cipher E : / ¦0, 1¦
n
→ ¦0, 1¦
n
, construct a cipher (a
“deterministic encryption scheme”) with message space ¦0, 1¦
∗
that is secure in the sense that you deﬁned.
(Hint: you now know how to construct from E a pseudorandom function with domain ¦0, 1¦
∗
.)
C h a p t e r 10
Digital signatures
The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern
cryptography. A signature scheme provides a way for each user to sign messages so that the signatures can later
be veriﬁed by anyone else. More speciﬁcally, each user can create a matched pair of private and public keys so
that only he can create a signature for a message (using his private key), but anyone can verify the signature
for the message (using the signer’s public key). The veriﬁer can convince himself that the message contents
have not been altered since the message was signed. Also, the signer can not later repudiate having signed the
message, since no one but the signer possesses his private key.
By analogy with the paper world, where one might sign a letter and seal it in an envelope, one can sign an
electronic message using one’s private key, and then seal the result by encrypting it with the recipient’s public
key. The recipient can perform the inverse operations of opening the letter and verifying the signature using his
private key and the sender’s public key, respectively. These applications of publickey technology to electronic
mail are quite widespread today already.
If the directory of public keys is accessed over the network, one needs to protect the users from being sent
fraudulent messages purporting to be public keys from the directory. An elegant solution is the use of a
certiﬁcate – a copy of a user’s public key digitally signed by the public key directory manager or other trusted
party. If user A keeps locally a copy of the public key of the directory manager, he can validate all the signed
communications from the publickey directory and avoid being tricked into using fraudulent keys. Moreover,
each user can transmit the certiﬁcate for his public key with any message he signs, thus removing the need for
a central directory and allowing one to verify signed messages with no information other than the directory
manager’s public key. Some of the protocol issues involved in such a network organization, are discussed in the
section on key distribution in these lecture notes.
10.1 The Ingredients of Digital Signatures
A digital signature scheme within the public key framework, is deﬁned as a triple of algorithms (G, σ, V ) such
that
• Key generation algorithm G is a probabilistic, polynomialtime algorithm which on input a security pa
rameter 1
k
, produces pairs (P, S) where P is called a public key and S a secret key. (We use the notation
(P, S) ∈ G(1
k
) indicates that the pair (P, S) is produced by the algorithm G.)
• Signing algorithm σ is a probabilistic polynomial time algorithm which is given a security parameter 1
k
,
a secret key S in range G(1
k
), and a message m ∈ ¦0, 1¦
k
and produces as output string s which we
call the signature of m. (We use notation s ∈ σ(1
k
, S, m) if the signing algorithm is probabilistic and
168
Cryptography: Lecture Notes 169
s = σ(1
k
, S, m) otherwise. As a shorthand when the context is clear, the secret key may be omitted and
we will write s ∈ σ(S, m) to mean meaning that s is the signature of message m.)
• Veriﬁcation algorithm V is a probabilistic polynomial time algorithm which given a public key P, a digital
signature s, and a message m, returns 1 (i.e ”true”) or 0 (i.e ”false”) to indicate whether or not the
signature is valid. We require that V (P, s, m) = 1 if s ∈ σ(m) and 0 otherwise. (We may omit the public
key and abbreviate V (P, s, m) as V (s, m) to indicate verifying signature s of message m when the context
is clear.)
• The ﬁnal characteristic of a digital signature system is its security against a probabilistic polynomialtime
forger. We delay this deﬁnition to later.
Note that if V is probabilistic, we can relax the requirement on V to accept valid signatures and reject invalid
signatures with high probability for all messages m, all suﬃciently large security parameters k, and all pairs
of keys (P, S) ∈ G(1
k
). The probability is taken over the coins of V and S. Note also that the message to be
signed may be plain text or encrypted, because the message space of the digital signature system can be any
subset of ¦0, 1¦
∗
.
10.2 Digital Signatures: the Trapdoor Function Model
Diﬃe and Hellman [72] propose that with a public key cryptosystem (G, E, D) based on the trapdoor function
model, user A can sign any message M by appending as a digital signature D(M) = f
−1
(M) to M where f is A’s
trapdoor public function for which A alone knows the corresponding trapdoor information. Anyone can check
the validity of this signature using A’s public key from the public directory, since E(D(M)) = f
−1
(f(M)). Note
also that this signature becomes invalid if the message is changed, so that A is protected against modiﬁcations
after he has signed the message, and the person examining the signature can be sure that the message he has
received that was originally signed by A.
Thus, in their original proposal Diﬃe and Hellman linked the two tasks of encryption and digital signatures.
We, however, separate these two tasks. It turns out that just as some cryptographic schemes are suited for
encryption but not signatures, many proposals have been made for signatureonly schemes which achieve higher
security.
The RSA publickey cryptosystem which falls in the Diﬃe and Hellman paradigm allows one to implement
digital signatures in a straightforward manner. The private exponent d now becomes the signing exponent, and
the signature of a message M i which falls in the Diﬃe and Hellman paradigm s now the quantity M
d
mod n.
Anyone can verify that this signature is valid using the corresponding public veriﬁcation exponent e by checking
the identity M = (M
d
)
e
mod n. If this equation holds, then the signature M
d
must have been created from M
by the possessor of the corresponding signing exponent d. (Actually, it is possible that the reverse happened and
that the “message” M was computed from the “signature” M
d
using the veriﬁcation equation and the public
exponent e. However, such a message is likely to be unintelligible. In practice, this problem is easily avoided
by always signing f(M) instead of M, where f is a standard public oneway function.)
Cast in our notation for digital signature schemes, the DiﬃeHellman proposal is the following triple of algorithms
(G, σ, V ):
• Key Generation: G(1
k
) picks pairs (f
i
, t
i
) from F where i ∈ I ∩ ¦0, 1¦
k
.
• Signing Algorithm: σ(1
k
, f
i
, t
i
, m) outputs f
−1
i
(m).
• Veriﬁcation Algorithm: V (f
i
, s, m) outputs 1 if f
i
(s) = m and 0 otherwise.
We will consider the security of this proposal and others. We ﬁrst deﬁne security for digital signatures.
170 Goldwasser and Bellare
10.3 Deﬁning and Proving Security for Signature Schemes
A theoretical treatment of digital signatures security was started by Goldwasser, Micali and Yao in [107] and
continued in [105, 14, 152, 177, 78].
10.3.1 Attacks Against Digital Signatures
We distinguish three basic kinds of attacks, listed below in the order of increasing severity.
• KeyOnly Attack: In this attack the adversary knows only the public key of the signer and therefore only
has the capability of checking the validity of signatures of messages given to him.
• Known Signature Attack: The adversary knows the public key of the signer and has seen message/signature
pairs chosen and produced by the legal signer. In reality, this the minimum an adversary can do.
• Chosen Message Attack: The adversary is allowed to ask the signer to sign a number of messages of the
adversary’s choice. The choice of these messages may depend on previously obtained signatures. For
example, one may think of a notary public who signs documents on demand.
For a ﬁner subdivision of the adversary’s possible attacks see [105].
What does it mean to successfully forge a signature?
We distinguish several levels of success for an adversary, listed below in the order of increasing success for the
adversary.
• Existential Forgery: The adversary succeeds in forging the signature of one message, not necessarily of his
choice.
• Selective Forgery: The adversary succeeds in forging the signature of some message of his choice.
• Universal Forgery: The adversary, although unable to ﬁnd the secret key of the The forger, is able to forge
the signature of any message.
• Total Break : The adversary can compute the signer’s secret key.
Clearly, diﬀerent levels of security may be required for diﬀerent applications. Sometimes, it may suﬃce to show
that an adversary who is capable of a known signature attack can not succeed in selective forgery, while for other
applications (for example when the signer is a notarypublic or a taxreturn preparer) it may be required that
an adversary capable of a chosen signature attack can not succeed even at existential forgery with nonnegligible
probability.
The security that we will aim at, in these notes are that with high probability a polynomial time adversary
would not be able to even existentially forge in the presence of a chosen message attack.
We say that a digital signature is secure if an enemy who can use the real signer as “an oracle” can not
in time polynomial in the size of the public key forge a signature for any message whose signature was not
obtained from the real signer. Formally, let B be a black box which maps messages m to valid signatures, i.e ,
V (P, B(m), m) = 1 for all messages m. Let the forging algorithm F on input the public key P have access to
B, denoted as F
B
(P). The forging algorithm runs in two stages: it ﬁrst launches a chosen message attack, and
then outputs a “new forgery” which is deﬁned to be any messagesignature pair such that the message was not
signed before and that signature is valid. We require that for all forging algorithms F, for all polynomials Q,
for all suﬃciently large k, Prob(V (P, s, m) = 1 : (P, S)
$
← G(1
k
) ; (m, s)
$
← F
B
(P)) ≤
1
Q(k)
. The probability is
taken over the choice of the keys (P, S) ∈ G(1
k
) , the coin tosses of the forgery algorithm F, and the coins of B.
Cryptography: Lecture Notes 171
Diﬃe and Hellman’s original proposal does not meet this strict deﬁnition of security; it is possible to existentially
forge with just the public information: Choose an s at random. Apply the public key to s to produce m = f(s).
Now s is a valid signature of m.
Many digital signature systems have been proposed. For a fairly exhaustive list we refer to the paper [105]
handed out.
We examine the security of three systems here.
10.3.2 The RSA Digital Signature Scheme
The ﬁrst example is based on the RSA cryptosystem.
The public key is a pair of numbers (n, e) where n is the product of two large primes and e is relatively prime
to φ(n), and the secret key is d such that ed = 1 mod φ(n). Signing is to compute σ(m) = m
d
modn. Verifying
is to raise the signature to the power e and compare it to the original message.
Claim 10.1 RSA is universallly forgable under a chosenmessage attack. (alternatively, existentially forgable
under known message attack)
Proof: If we are able to produce signatures for two messages, the signature of the the product of the two
messages is the product of the signatures. Let m1 and m2 be the two messages. Generate signatures for these
messages with the black box: σ(m1) = m1
d
mod n, σ(m2) = m2
d
mod n. Now we can produce the signature
for the product of these two messages: σ(m1m2) = (m1m2)
d
= m1
d
m2
d
= σ(m1)σ(m2) mod n
To produce a signature for a message m, begin by choosing a random number r ∈ 2n
∗
. Now deﬁne m1 and m2
as follows: m1 = mr mod n, and m2 = r
−1
mod n Using the strategy above, we can ﬁnd a signature for the
product of these messages, which is the original message m, as follows: m1m2 = (mr)r
−1
= m.
10.3.3 El Gamal’s Scheme
This digital signature system security relies on the diﬃculty of solving a a problem called the DiﬃeHellman
keyexchange (DHKE)problem, which is related to the discrete log problem. The DHKE problem is on input
a prime p, a generator g, and g
y
, g
x
∈ Z
∗
p
, compute output g
xy
mod p. The best way currently known to
solve the DHKE is to ﬁrst solve the discrete log problem. Whether computing a discrete log is as hard as the
DiﬃeHellman problem is currently an open question.
The following digital signature scheme is probabilistic. A close variant of it called DSS has been endorsed as a
national standard.
Idea of the scheme:
• Public key: A triple (y, p, g), where y = g
x
mod p, p is prime and g is a generator for Z
∗
p
.
• Secret key: x such that y = g
x
mod p.
• Signing: The signature of message m is a pair (r, s) such that 0 = r, s = p −1 and g
m
= y
r
r
s
mod p.
• Verifying: Check that g
m
= y
r
r
s
mod p actually holds.
In order to generate a pair (r, s) which constitutes a signature, the signer begins by choosing a random number
k such that 0 = k = p − 1 and GCD(k, p − 1) = 1. Let r = g
k
(modp). Now we want to compute an s such
that g
m
= y
r
r
s
= g
xr+ks
modp. In terms of the exponents, this relationship is m = xr + ks(modp −1). Hence
s = (m−xr)
k
−1
modp −1. The signature of m is the pair (r, s).
Clearly, If an attacker could solve the discrete logarithm problem, he could break the scheme completely by
computing the secret key x from the information in the public ﬁle. Moreover, if an attacker ﬁnds k for one
172 Goldwasser and Bellare
message, he can solve the discrete logarithm problem, so the pseudo random number generator employed to
generate k’s has to be of superior quality.
Claim 10.2 This scheme is existentially forgable in the presence of a known message attack.
Exercise.
Note on a key exchange protocol based on discrete log: It is interesting to note that it is possible for two people
to exchange a secret key without prior secret meeting using the DL problem which is not known to yield a
trapdoor function. This can be done by Persons A and B agree on a prime p and a generator g. Person A
chooses a secret number x and sends g
x
(modp) to B. Person B chooses a secret number y and sends g
y
(modp) to
A. Now each user can readily compute g
xy
(modp); let this be the shared secret key. It is not known if computing
xy is as diﬃcult as DLP.
10.3.4 Rabin’s Scheme
Rabin [170] proposed a method where the signature for a message M was essentially the square root of M,
modulo n, the product of two large primes. Since the ability to take square roots is provably equivalent to the
ability to factor n, an adversary should not be able to forge any signatures unless he can factor n. For our
purpose let’s consider the variant of it when n = pq and p = q = 3 mod 4, so that the signature is uniquely
determined.
This argument assumes that the adversary only has access to the public key containing the modulus n of the
signer. An enemy may break this scheme with an active attack by asking the real signer to sign M = x
2
mod n,
where x has been chosen randomly. If the signer agrees and produces a square root y of M, there is half a chance
that gcd(n, x −y) will yield a nontrivial factor of n — the signer has thus betrayed his own secrets! Although
Rabin proposed some practical techniques for circumventing this problem, they have the eﬀect of eliminating
the constructive reduction of factoring to forgery.
Let us look at this in some detail.
This digital signature scheme is based on the diﬃculty of computing square roots modulo a composite number.
• Public key: n = pq
• Secret key: primes p, q
• Signing: s =
√
m mod n (assume WLOG that all m are squares)
• Veriﬁcation: Check that s
2
= m mod n.
Claim 10.3 This system is existentially forgable with keyonly attack.
Proof: Choose a signature and square it to produce a corresponding message.
Claim 10.4 The system is totally breakable in the face of a chosen message attack.
Proof: We know that if we can ﬁnd two distinct square roots of a message, we can factor the modulus. Choose
a value s and let m = s
2
. Now s is a valid signature of m. Submit m to the black box. There is a one in two
chance that it will produce the same signature s. If so, repeat this process. If not, we have both square roots
of m and can recover the factors of n.
Cryptography: Lecture Notes 173
Security when “Breaking” is Equivalent to Factoring
Given the insecurity of Rabin’s scheme in the face of a chosen message attack, one might hypothesize that there
exists no secure digital signature system based on factoring. That is, a scheme wherein:
• “Breaking” the scheme is equivalent to factoring.
• The signature scheme is secure against a chosen message attack.
False proof: We assume (1) and show that (2) is impossible. Since the ﬁrst statement is that ”breaking” the
scheme is equivalent to factoring, we know that the following reduction must be possible on input of a composite
number n.
• Generate a public key P.
• Produce a message m.
• Produce a valid signature s ∈ σ(P, m) using the ”breaker” algorithm. (Repeat these three steps up to a
polynomial number of times.)
• Factor n.
Conclude that the system must be insecure in the face of a chosen message attack, since we can substitute the
CMA for the ”breaker” algorithm in step 3. QED
What is wrong with this argument? First, there is only a vague deﬁnition of the public information P; it
need not contain the number n. Second, the CMA will always produce signatures with respect to ﬁxed public
information, whereas in the above reduction it may be necessary to use diﬀerent public information in every
call to the ”breaker”.
10.4 Probabilistic Signatures
Probabilistic techniques have also been applied to the creation of digital signatures. This approach was pioneered
by Goldwasser, Micali, and Yao [107], who presented signature schemes based on the diﬃculty of factoring and
on the diﬃculty of inverting the RSA function for which it is provably hard for the adversary to existentially
forge using a known signature attack.
Goldwasser, Micali, and Rivest [105] have strengthened this result by proposing a signature scheme which is not
existentially forgable under a chosen message attack. Their scheme is based on the diﬃculty of factoring, and
more generally on the existence of clawfree trapdoor permutations (that is, pairs f
0
, f
1
of trapdoor permutations
deﬁned on a common domain for which it is hard to ﬁnd x, y such that f
0
(x) = f
1
(y)).
The scheme, as originally described,although attractive in theory, is quite ineﬃcient. However, it can be modiﬁed
to allow more compact signatures, to make no use of memory between signatures other than for the public and
secret keys, and even to remove the need of making random choices for every new signature. In particular,
Goldreich [95] has made suggestions that make the factoringbased version of this scheme more practical while
preserving its security properties.
Bellare and Micali in [14] have shown a digital signature scheme whose security can be based on the existence
of any trapdoor permutation (a weaker requirement than clawfreeness). Then Naor and Yung [152] have
shown how, starting with any oneway permutation, to design a digital signature scheme which is secure against
existential forgery by a chosen signature attack. Finally, Rompel [177] has shown how to sign given any oneway
function. These works build on an early idea due to Lamport on how to sign a single bit in [130]. The idea is as
follows. If f is a oneway function, and Alice has published the two numbers f(x
0
) = y
0
and f(x
1
) = y
1
, then
she can sign the message 0 by releasing x
0
and she can similarly sign the message 1 by releasing the message
x
1
. Merkle [146] introduced some extensions of this basic idea, involving building a tree of authenticated values
whose root is stored in the public key of the signer.
We now proceed to describe in detail some of these theoretical developments.
174 Goldwasser and Bellare
10.4.1 Clawfree Trapdoor Permutations
We introduce the notion of clawfree trapdoor permutations and show how to construct a signature scheme
assuming the existence of a clawfree pair of permutations.
Deﬁnition 10.5 [fclaw] Let f
0
, f
1
be permutation over a common domain D. We say that (x, y, z) is fclaw
if f
0
(x) = f
1
(y) = z.
Deﬁnition 10.6 [A family of clawfree permutations] A family F = ¦f
0,i
, f
1,i
: D
i
→ D
i
¦
i∈I
is called a family
of clawfree trapdoor permutations if:
1. There exists an algorithm G such that G(1
k
) outputs two pairs (f
0
, t
0
), (f
1
, t
1
) where where t
i
is the
trapdoor information for f
i
.
2. There exists PPT an algorithm that given f
i
and x ∈ D
i
computes f
i
(x).
3. ∀ (inverting algorithm) I, there exists some negligible function ν
I
such that for all suﬃciently large k,
Prob(f
0
(x) = f
1
(y) = z : ((f
0
, t
0
), (f
1
, t
1
))
$
← G(1
k
) ; (x, y, z)
$
← I(f
0
, f
1
)) < ν
I
(k)
The following observation shows that the existence of a pair of trapdoor permutations does not immediately
imply the existence of a clawfree permutation. For example, deﬁne a family of (“RSA”) permutations by
f
0,n
(x) ≡ x
3
mod n f
1,n
(x) ≡ x
5
mod n
(gcd(x, n) = 1, and gcd(15, Φ(n)) = 1). Since the two functions commute, it is easy to create a claw by choosing
w at random and deﬁning x = f
1,n
(w), y = f
0,n
(w), and
z = f
0,n
(x) = f
1,n
(y) = w
15
mod n
In general, the following question is
Open Problem 10.7 Does the existence of a family of trapdoor permutations imply the existence of a family
of clawfree trapdoor permutations ?
The converse of the above is clearly true: Given a clawfree permutations generator, it is easy to generate
a trapdoor permutation. If ¦f
0
, f
1
¦ is a pair of clawfree permutations over a common domain, that is, it
is computationally infeasible to ﬁnd a triple x, y, z such that f
0
(x) = f
1
(y) = z, then (f
0
, f
−1
0
) is trapdoor.
(Otherwise, give the inverting algorithm I, z = f
1
(y); z is also distributed uniformly over D, so with non
negligible probability, I can produce x = f
−1
0
(z). Therefore (x, y, z) is a claw, contradiction.)
10.4.2 Example: Clawfree permutations exists if factoring is hard
Let n = pq, where p and q are primes (p, q ∈ H
k
) and p ≡ 3 mod 8, q ≡ 7 mod 8. Observe that about 1/16 of
odd prime pairs ﬁt this requirement. Let QR
n
denote the set of quadratic residues modn.
We ﬁrst note that:
1. (J
n
(−1)) = +1, but −1 ∈ QR
n
2. (J
n
(2)) = −1, (and 2 ∈ QR
n
) .
3. x ∈ QR
n
has exactly one square root y ∈ QR
n
(x is a Blum integer), but has four square root y, −y, w, −w
in general. Roots w, −w have Jacobi symbol −1, y and −y have Jacobi symbol +1.
Cryptography: Lecture Notes 175
We now deﬁne a family of pairs of functions, and prove, assuming the intractability of factoring, that it is a
family of clawfree trapdoor permutations over QR
n
.
Deﬁne, for x ∈ QR
n
:
f
0,n
(x) = x
2
mod n f
1,n
(x) = 4x
2
mod n
It follows from the above notes that the functions f
0,n
, f
1,n
are permutations of QR
n
.
Claim: ¦f
0,n
, f
1,n
¦ is clawfree.
Proof: Suppose that the pair is not clawfree. Assume x, y ∈ QR
n
satisfy
x
2
≡ 4y
2
mod n
This implies that (x −2y)(x + 2y) ≡ 0 mod n. However, checking the Jacobi symbol of both sides we have:
(J
n
(x)) = +1 (J
n
(2y)) = (
y
n
)(
2
n
) = −1 (J
n
(−2y)) = (
−1
n
) = −1
That is, x is a quadratic residue, but ±2y are not. Since x ≡ ±2y mod n gcd(x±2y, n) will produce a nontrivial
factor on n.
10.4.3 How to sign one bit
We ﬁrst describe the basic building block of the signature scheme: signing one bit.
Let D be the common domain of the clawfree pair ¦f
0
, f
1
¦, and assume x is selected randomly in D.
Public Secret
x ∈ D, f
0
, f
1
f
−1
0
, f
−1
1
To sign the bit b ∈ ¦0, 1¦ let s = σ(b) = f
−1
b
(x).
To verify the signature s, check that f
b
(s) = x.
Claim 10.8 The above scheme is existentially secured against Chosen Message Attack.
Proof: Suppose, by way of contradiction, that the scheme is not secure. That is, ∃ a forging algorithm F
CMA
(P)
that can forge the signature (given the public information); F asks for the signature of b and (∀ polynomial Q
and inﬁnitely many k’s) can sign b correctly with probability > 1/Q(k). To derive the contradiction, we design
an algorithm that, given F
CMA
, can make claws:
input: f
0
, f
1
.
output: x, y, z, such that f
0
(x) = f
1
(y) = z (with probability > 1/Q(k)).
(1) Select randomly x ∈ D; ﬂip a coin and put in the public ﬁle: z = f
coin
(x) ∈ D, f
0
, f
1
. (Note that f
0
, f
1
are permutations, so z is uniform in D).
(2) Run algorithm F
CMA
(P):
1. If F asks for signature of b = coin, go back to (1).
2. If F asks for signature of b = coin, answer with x = f
−1
b
(f
coin
(x)).
(3) By the assumption, F can produce now a signature for b, y = f
−1
b
(f
coin
(x)), i.e. z = f
b
(x) = f
b
(y). That
is, we have a claw:
176 Goldwasser and Bellare
10.4.4 How to sign a message
As before, D is the common domain of the clawfree pair ¦f
0
, f
1
¦, and x is selected randomly in D.
Public Secret
x ∈ D, f
0
, f
1
f
−1
0
, f
−1
1
For x ∈ D, we sign the ﬁrst message m
1
by:
s
1
= σ(m
1
) = f
−1
m
1
(x)
and verify by:
V (s
1
, m
1
) =
1 if f
m
1(s
1
) = x
0 otherwise
where, for m
1
= m
1
1
m
1
2
. . . m
1
k
:
f
−1
m
1
(x) = f
−1
m
1
k
(. . . (f
−1
m
1
2
(f
−1
m
1
1
(x))))
f
m
1(x) = f
m
1
1
(. . . (f
m
1
k−1
(f
m
1
k
(x))))
Clearly f
m
is a permutation on D, and is easy to compute. To sign the next message m
2
, we apply the new
permutation on the previous signature:
s
2
= σ(m
2
) = (f
−1
m
2
(s
1
), m
1
)
and verify by:
V (s
2
, m
2
) =
1 if f
m
2(s
2
) = s
1
and f
m
1(s
1
) = x
0 otherwise
Notes:
1. With this scheme, the length of the signature grows linearly with the number of messages signed so far.
2. It is clearly easy to forge signatures for preﬁx of a message we have already seen. We therefore assume
here that we preprocess the messages to be presented in a preﬁxfree encoding scheme. (i.e no messages
is a preﬁx of another message).
Claim: The scheme is not existentially secure with respect to a Known Message Attack.
Proof: Assume ∃F(H, P) that (∀ polynomial Q and suﬃciently large k), given the public information P and
the history H = ((m
1
, σ(m
1
)), . . . , (m
l
, σ(m
l
))), for messages m
1
, m
2
, ..., m
l
selected by running M(1
k
), can ﬁnd
a message ˆ m = m
i
, (1 ≤ i ≤ l), can produce a signature σ( ˆ m) such that
Prob¦V (σ( ˆ m), ˆ m) = 1¦ >
1
Q(k)
where the probability is taken over all public ﬁles and coin tosses of F.
We now design an algorithm A that uses F to come up with a claw:
input: f
0
, f
1
.
output: a, b, c, such that f
0
(a) = f
1
(b) = c (with probability > 1/Q(k)).
Cryptography: Lecture Notes 177
(1) Choose m
1
, m
2
, . . . , m
i
∈ ´(1
k
), x ∈
R
D. Let z = f
m
l
(. . . (f
m1
(x))). Let P = ¦f
0
, f
1
, x¦ be the public
ﬁle. (Notice that z is also selected uniformly in D).
(2) Generate the history H = (m
1
, f
m
1
(z)), . . . (m
l
, (f
m
l
(. . . (f
m
1
(z)))), Denote m = m
1
◦ m
2
◦ . . . ◦ m
l
, the
string of all messages generated.
(3) Run the forging algorithm F(H, P) to produce ( ˆ m, σ( ˆ m)).
(4) With non negligible probability, σ( ˆ m) is a valid signature; that is, ”walking back” with f
ˆ m
from σ( ˆ m),
according to the history it supplies, will get to x, and therefore must meet the path going back from σ(m
i
)
Let l be the location at which the two paths meet, that is, m agrees with ˆ m on the ﬁrst l − 1 bits, and
denote w = f
−1
m
l−1
(. . . (f
−1
m
0
(z))). Assume, w.l.o.g that the l −th bit of m is 0, the l −th bit of ˆ m is 1, and
let u, v be the corresponding f
−1
0
(w), f
−1
1
(w). Output (u, v, w).
Clearly (u, v, w) is a claw. Thus, applying the public f
0
, f
1
on the output of the forging algorithm F results in
a claw, with nonnegligible probability; contradiction.
However, this scheme does not seem to be secure against a Chosen Message Attack. At least we do not know
how to prove that it is. In the next section we modify it to achieve this.
10.4.5 A secure signature scheme based on claw free permutations
Let D
f
be the common domain of the clawfree permutations pair Consider the following scheme, for signing
messages m
i
∈ ¦0, 1¦
k
where i ∈ ¦1, , B(k)¦ and B(k) is a polynomial in k:
Choose two pairs of clawfree permutations, (f
0
, f
1
) and (g
0
, g
1
) for which we know f
−1
0
, f
−1
1
, g
−1
0
, g
−1
1
. Choose
X ∈ D
f
. Let the public key contain D
f
, X, f
0
, f
1
, g
0
, g
1
and let the secret key contain f
−1
0
, f
−1
1
, g
−1
0
, g
−1
1
.
PK SK
D
f
, X, f
0
, f
1
f
−1
0
, f
−1
1
g
0
, g
1
g
−1
0
, g
−1
1
Let ◦ be the concatenation function and set the history H
1
= ∅. To sign m
i
, for i ∈ ¦1, , B(k)¦:
1. Choose R
i
∈ D
g
uniformly.
2. Set z
i
1
= f
−1
H
i
◦R
i
(X).
3. Set z
i
2
= g
−1
m
i
(R
i
).
4. Set signature σ(m
i
) = (z
i
1
, z
i
2
, H
i
).
5. Set H
i+1
= H
i
◦ R
i
.
To verify a messagesignature pair (m, s) where s = (z
1
, z
2
, H),
1. Let R = g
m
(z
2
).
2. Check that f
H◦R
(z
1
) = X.
If so, then the signature is valid and the veriﬁcation function V (m, s) = 1. Otherwise, V (m, s) = 0. This scheme
takes advantage of the fact that a new random element z
i
1
can be used in place of X for each message so that
the forger is unable to gain information by requesting signatures for a polynomial number of messages.
It is clear that the signing and veriﬁcation procedures can be performed in polynomial time as required. The
following theorem also shows that it is secure:
178 Goldwasser and Bellare
Theorem 10.9 The clawfree permutation signature scheme is existentially secure against CMA if clawfree
permutations exist.
Proof: (by contradiction) Suppose not. Then there is a forger F
CMA
(f
0
, f
1
, g
0
, g
1
, X) which consists of the
following two stages:
Stage 1: F obtains signatures σ(m
i
) for up to B(k) messages m
i
of its choice.
Stage 2: F outputs ( ˆ m, ˆ s) where ˆ s = (ˆ z
1
, ˆ z
2
,
ˆ
H) such that ˆ m is diﬀerent than all m
i
’s requested in stage 1 and
V ( ˆ m, ˆ s) = 1.
We show that if such an F did exist, then there would be a PTM A which would:
Input: Uniformly chosen (h
0
, h
1
, D
h
) clawfree such that h
−1
0
and h
−1
1
are not known.
Output: Either a hclaw with probability greater than
1
Q(k)
where Q(k) is a polynomial in k.
This is a contradiction by the deﬁnition of h
0
and h
1
.
PTM A is based on the fact that when F is successful it does one of the following in stage 2:
Type 1 forgery: Find a gclaw
Type 2 forgery: Find a fclaw
Type 3 forgery: Find f
−1
0
(ω) or f
−1
1
(ω) for ω = z
B(k)
1
the last point in the history provided by the signer
PTM A consists of two PTM’s A
1
and A
2
which are run one after the other. A
1
attempts to ﬁnd an hclaw
based on the assumption that F produces a gclaw. A
2
attempts to ﬁnd a hclaw based on the assumption that
F produces a fclaw. Both A
1
and A
2
will use h
0
and h
1
in their public keys. In order to sign a message using
h
0
and h
1
, these PTM’s will compute v = h
i
(R) for some R ∈ D
h
and use R as h
−1
b
(v). Thus, neither A
1
nor
A
2
will need to invert h
b
when answering F’s requests. Note that since h
b
is a permutation, v will be random
if R is.
Description of A
1
:
1. Choose (f
0
, f
1
, D
f
) clawfree such that we know f
−1
0
and f
−1
1
. Let the public key contain D
f
, X, f
0
, f
1
, g
0
=
h
0
, and g
1
= h
1
. Let the secret key contain f
−1
0
and f
−1
1
.
PK SK
D
f
, X, f
0
, f
1
f
−1
0
, f
−1
1
g
0
= h
0
, g
1
= h
1
2. Set history H
1
= ∅ and run F(f
0
, f
1
, g
0
, g
1
, X). When F asks for the signature of a message m
i
,
(a) Choose z
i
2
∈ D
g
at random.
(b) Set R
i
= g
m
i
(z
i
2
).
(c) Set z
i
1
= f
−1
Hi◦Ri
(X).
Cryptography: Lecture Notes 179
(d) Output (z
i
1
, z
i
2
, H
i
).
(e) Set H
i+1
= H
i
◦ R
i
.
F then outputs ( ˆ m, ˆ s) where ˆ s = (ˆ z
1
, ˆ z
2
,
ˆ
H).
3. Test to see that V ( ˆ m, ˆ s) = 1. If not then A
1
fails.
4. Let
ˆ
R = g
ˆ m
(ˆ z
2
). If
ˆ
R = R
i
for any i, then A
1
fails since F did not produce a type 1 forgery
5. Otherwise, let j be such that
ˆ
R = R
j
. We now have h
ˆ m
(ˆ z
2
) = h
mj
(z
j
2
) = R
j
. From this we easily obtain
a hclaw.
Description of A
2
:
1. Choose (g
0
, g
1
, D
g
) clawfree such that we know g
−1
0
and g
−1
1
. Let f
0
= h
0
and f
1
= h
1
. Choose
R
1
, R
2
, , R
B(k)
∈ D
g
, c ∈ ¦0, 1¦ and z ∈ D
f
uniformly and independently. Set X = f
R
1
◦R
2
◦◦R
B(k)
◦c
(z).
Let the public key contain D
f
, X, f
0
, f
1
, g
0
and g
1
. Let the secret key contain g
−1
0
and g
−1
1
.
PK SK
D
f
, X, g
0
, g
1
g
−1
0
, g
−1
1
f
0
= h
0
, f
1
= h
1
2. Set history H
1
= ∅ and run F(f
0
, f
1
, g
0
, g
1
, X). When F asks for signature of message m
i
,
(a) Set z
i
1
= f
Ri+1◦◦R
B(k)
(X).
(b) Set z
i
2
= g
−1
mi
(R
i
).
(c) Output (z
i
1
, z
i
2
, H
i
).
(d) Set H
i+1
= H
i
◦ R
i
.
F then outputs ( ˆ m, ˆ s) where ˆ s = (ˆ z
1
, ˆ z
2
,
ˆ
H).
3. Let
ˆ
R = g
ˆ m
(ˆ z
2
).
4. There are three possibilities to consider:
F made type 1 forgery: This means
ˆ
H ◦
ˆ
R = H
i
for some i. In this case A
2
fails.
F made type 2 forgery: There is some ﬁrst bit in
ˆ
H ◦
ˆ
R which diﬀers from A
2
’s ﬁnal history H
N
. As a
result,
ˆ
H ◦
ˆ
R = H ◦ b ◦
ˆ
S and H
N
= H ◦
¯
b ◦ S for some b ∈ ¦0, 1¦ and strings H,
ˆ
S, S. From this we
obtain f
b
(f
ˆ
S
(ˆ z
1
)) = f¯
b
(f
S
(z
N
1
)) which provides A
2
with a hclaw.
F made type 3 forgery:
ˆ
H ◦
ˆ
R = H
N
◦ b ◦ S for some bit b and string S. Since the bit d chosen by A
2
to
follow H
N
if another request were made is random, b will be diﬀerent from d with probability 1/2.
In this case, A
2
will have h
−1
0
(h
−1
H
N
(X)) and h
−1
1
(h
−1
H
N
(X)) providing A
2
with a hclaw.
Suppose that with probability p
1
F(f
0
, f
1
, g
0
, g
1
, X) provides a type 1 forgery, with probability p
2
F(f
0
, f
1
, g
0
, g
1
, X)
provides a type 2 forgery, and with probability p
3
F(f
0
, f
1
, g
0
, g
1
, X) provides a type 3 forgery. Since f
0
, f
1
, g
0
, g
1
, h
0
, h
1
are chosen uniformly over clawfree permutations, A
1
will succeed with probability p
1
and A
2
will succeed with
probability p
2
+
p
3
2
. Thus, A
1
or A
2
will succeed with probability at least max(p
1
, p
2
+
p
3
2
) ≥
1
3Q(k)
.
180 Goldwasser and Bellare
Notes:
1. Unlike the previous scheme, the signature here need not contain all the previous messages signed by the
scheme; only the elements R
i
∈ D
g
are attached to the signature.
2. The length of the signature need not be linear with the number of messages signed. It is possible instead
of linking the R
i
together in a linear fashion, to build a tree structure, where R
1
authenticates R
2
and R
3
,
and R
2
authenticates R
4
and R
5
and so forth till we construct a full binary tree of depth logarithmic in
B(k) where B(k) is a bound on the total number of signatures ever to be signed. Then, relabel the R
j
’s
in the leafs of this tree as r
1
, ..., r
B(k)
.
In the computation of the signature of the ith message, we let z
i
2
= g
−1
m
i
(r
i
), and let z
i
1
= f
−1
r
i
(R) where
R is the father of r
i
in the tree of authenticated R’s. The signature of the ith message needs to contain
then all R
t
s on the path from the leaf r
i
to the root, which is only logarithmic in the number of messages
ever to be signed.
3. The cost of computing a f
−1
m
(x) is [m[(cost of computing f
−1
). Next we show that for the implementation
of clawfree functions based on factoring, the m factor can be saved.
Example: Eﬃcient way to compute f
−1
m
(z)
As we saw in Example 10.4.2, if factoring is hard, a particular family of trapdoor permutations is claw free.
Let n = pq, where p and q are primes and p ≡ 3 mod 8, q ≡ 7 mod 8. for x ∈ QR
n
:
f
0,n
(x) = x
2
mod n f
1,n
(x) = 4x
2
mod n
is this family of clawfree trapdoor permutations.
Notation: We write
√
x = y when that y
2
= x and y ∈ QR
n
.
To compute f
−1
m
(z) we ﬁrst compute (all computations below are modn):
f
−1
00
(z) =
√
z
f
−1
01
(z) =
√
z
4
=
1
√
4
√
z
f
−1
10
(z) =
z
4
=
1
√
√
4
√
z
f
−1
11
(z) =
1
4
z
4
Let i(m) be the integer corresponding to the string m reversed. It is easy to see that in the general case we get:
f
−1
m
(z) = (
z
4
i(m)
)
1
2
m
Now, all we need is to compute the 2
]m]
th root modn once, and this can be done eﬃciently, by raising to a
power modΦ(n).
10.4.6 A secure signature scheme based on trapdoor permutations
This section contains the trapdoor permutation signature scheme. We begin by showing the method for signing
a single bit b:
1. Choose a trapdoor permutation f for which we know the inverse. Choose X
0
, X
1
∈ D
f
uniformly and
independently. Let the public key contain f, f(X
0
), and f(X
1
). Let the secret key contain X
0
and X
1
.
PK SK
f, f(X
0
), f(X
1
) X
0
, X
1
Cryptography: Lecture Notes 181
2. The signature of b, σ(b) = X
b
.
To verify (b, s) simply test f(s) = f(X
b
).
The scheme for signing multiple messages, uses the scheme above as a building block. The problem with signing
multiple messages is that f cannot be reused. Thus, the trapdoor permutation signature scheme generates and
signs a new trapdoor permutation for each message that is signed. The new trapdoor permutation can then be
used to sign the next message.
Description of the trapdoor permutation signature scheme:
1. Choose a trapdoor permutation f
1
for which we know the inverse. Choose α
j
0
, α
j
1
∈ ¦0, 1¦
k
for j ∈
¦1, , k¦ and β
j
0
, β
j
1
∈ ¦0, 1¦
k
for j ∈ ¦1, , K(k)¦ where K(k) is a polynomial in k uniformly and
independently. Let the public key contain f
1
and all α’s and β’s. Let the secret key contain f
−1
1
. Let
history H
1
= ∅.
PK SK
f
1
, α
i
b
, β
j
b
f
−1
1
for b ∈ ¦0, 1¦, i ∈ 1, , k, j ∈ 1, , K(k)
To sign message m
i
= m
1
m
2
m
k
:
2. Set AUTH
α,f
i
m
i
= (f
−1
i
(α
1
m
1
), f
−1
i
(α
2
m
2
), , f
−1
1
(α
k
m
k
)). AUTH
α,f
i
m
i
is the signature of m
i
using f
i
and
the α’s.
3. Choose a new trapdoor function f
i+1
such that we know f
−1
i+1
.
4. Set AUTH
β,f
i
f
i+1
= (f
−1
i
(β
1
fi+1,1
), (f
−1
i
(β
2
fi+1,2
)), , (f
−1
i
(β
K
f
i+1,k
(k))))
where f
i+1
= f
i+1,1
◦ f
i+1,2
◦ ◦ f
i+1,K(k)
is the binary representation of f
i+1
.
5. The signature of m
i
is σ(m
i
) = (AUTH
α,fi
m
i
, AUTH
β,fi
fi+1
, H
i
). AUTH
β,fi
fi+1
is the signature of f
i+1
using f
i
and β’s.
6. Set H
i+1
= H
i
◦ (AUTH
α,fi
m
i
, AUTH
β,fi
fi+1
).
Note: We assume that to describe f
i+1
, K(k) bits are suﬃcient.
Theorem 10.10 The trapdoor permutation signature scheme is existentially secure against CMA if trapdoor
permutations exist.
Proof: (by contradiction) Suppose not. Then there is a forger F which can request messages of its choice and
then forge a message not yet requested with probability at least
1
Q(k)
where Q(k) is a polynomial in k. We show
that if such an F did exist, we could ﬁnd a PTM A
t
which would:
Input: Trapdoor function h for which inverse is unknown and ω ∈ ¦0, 1¦
k
.
Output: h
−1
(ω) with probability at least
1
Q
(k)
where Q
t
(k) is a polynomial in k. Probability is taken over h’s,
ω’s, coins of A
t
.
The construction of A
t
is as follows:
182 Goldwasser and Bellare
1. A
t
will attempt to use h as one of its trapdoor permutations in answering a signature request by F. Since
A
t
does not know h
−1
, it generates an appropriate set of α’s and β’s as follows: Randomly and uniformly
choose γ
j
b
, δ
j
b
∈ ¦0, 1¦
k
for all b ∈ ¦0, 1¦ and j ∈ ¦1, , k¦. Let α
j
b
= h(γ
j
b
) and β
j
b
= h(δ
j
b
) for the same
range of b and j. Choose n ∈ ¦1, , B(k)¦ uniformly. For the ﬁrst phase, A
t
will act very much like a
trapdoor permutation signature scheme with one exception. When it is time for A
t
to choose its one way
permutation f
n
, it will choose h. If A
t
were to leave the α’s and β’s unchanged at this point, it would be
able to sign F’s request for m
n
though it does not know h
−1
. However A
t
does change one of the α’s or
β’s, as follows:
2. Randomly choose one of the α’s or β’s and set it equal to the input ω. Let the public key contain f
1
(this
is h if n = 1), the α’s and β’s:
3. Run F using the current scheme. Note that with probability at least
1
B(k)
, F will make at least n message
requests. Note also that when F does request a signature for message m
n
, A
t
will be able to sign m
n
with
probability 1/2. This is because with probability 1/2 A
t
will not have to calculate (using h) the inverse
of the α (or β) which was set to ω.
4. With probability
1
Q(k)
, F will successfully output a good forgery ( ˆ m, ˆ s). In order for ˆ s to be a good
forgery it must not only be veriﬁable, but it must diverge from the history of requests made to A
t
. With
probability at least
1
B(k)
the forger will choose to diverge from the history precisely at request n. Thus,
F will use h as its trapdoor permutation.
5. If this is the case, the probability is
1
2(k+K(k))
that the forger will invert the α (or β) which was set to ω.
6. If so, A
t
outputs h
−1
(ω).
The probability that A
t
succeeds is therefore at least
1
Q
(k)
=
1
4(k+K(k))B
2
(k)
and since 4(k + K(k))B
2
(k) is a
polynomial in k we have a contradiction.
10.5 Concrete security and Practical RSA based signatures
In practice, the most widely employed paradigm for signing with RSA is “hash then decrypt:” First “hash” the
message into a domain point of RSA and then decrypt (ie. exponentiate with the RSA decryption exponent).
The attraction of this paradigm is clear: signing takes just one RSA decryption, and veriﬁcation just one RSA
encryption. Furthermore it is simple to implement. Thus, in particular, this is the basis of several existing
standards.
In this section we analyze this paradigm. We will see that, unfortunately, the security of the standardized
schemes cannot be justiﬁed under standard assumptions about RSA, even assuming the underlying hash func
tions are ideal. Schemes with better justiﬁed security would be recommended.
We have already seen that such schemes do exist. Unfortunately, none of them match the schemes of the hash
then decrypt paradigm in eﬃciency and simplicity. (See Section 10.5.13 for comparisons). So what can we do?
We present here some schemes that match “hash then decrypt” ones in eﬃciency but are provably secure
assuming we have access to ideal hash functions. (As discussed in Section 7.4.6, this means that formally, the
hash functions are modeled as random oracles, and in implementation, the hash functions are derived from
cryptographic hash functions. This represents a practical compromise under which we can get eﬃciency with
reasonable security assurances. See [15] for a full discussion of this approach.)
We present and analyze two schemes. The ﬁrst is the FDH scheme of [15]. The second is the PSS of [26].
Furthermore we present a scheme called PSSR which has the feature of message recovery. This is a useful way
to eﬀectively shorten signature sizes.
Let us now expand on all of the above. We begin by looking at current practice. Then we consider the full
domain hash scheme of [15, 26] and discuss its security. Finally we come to PSS and PSSR, and their exact
security.
Cryptography: Lecture Notes 183
We present these schemes for RSA. The same can be done for the Rabin scheme.
The materiel of this section is taken largely from [26].
In order to make this section selfcontained, we repeat some of the basics of previous parts of this chapter. Still
the viewpoint is diﬀerent, being that of concrete security, so the materiel is not entirely redundant.
10.5.1 Digital signature schemes
In the public key setting, the primitive used to provide data integrity is a digital signature scheme. It is just like
a message authentication scheme except for an asymmetry in the key structure. The key sk used to generate
tags (in this setting the tags are often called signatures) is diﬀerent from the key pk used to verify signatures.
Furthermore pk is public, in the sense that the adversary knows it too. So while only a signer in possession
of the secret key can generate signatures, anyone in possession of the corresponding public key can verify the
signatures.
Deﬁnition 10.11 A digital signature scheme To = (/, o, 1) consists of three algorithms, as follows:
• The randomized key generation algorithm / (takes no inputs and) returns a pair (pk, sk) of keys, the
public key and matching secret key, respectively. We write (pk, sk)
$
← / for the operation of executing /
and letting (pk, sk) be the pair of keys returned.
• The signing algorithm o takes the secret key sk and a message M to return a signature or tag σ ∈
¦0, 1¦
∗
∪¦⊥¦. The algorithm may be randomized or stateful. We write σ
$
← o
sk
(M) or σ
$
← o(sk, M) for
the operation of running o on inputs sk, M and letting σ be the signature returned.
• The deterministic veriﬁcation algorithm 1 takes a public key pk, a message M, and a candidate signature
σ for M to return a bit. We write d ← 1
pk
(M, σ) or d ← 1(pk, M, σ) to denote the operation of running
1 on inputs pk, M, σ and letting d be the bit returned.
We require that 1
pk
(M, σ) = 1 for any keypair (pk, sk) that might be output by /,any message M, and any
σ = ⊥ that might be output by o
sk
(M). If o is stateless then we associate to each public key a message space
Messages(pk) which is the set of all M for which o
sk
(M) never returns ⊥.
Let S be an entity that wants to have a digital signature capability. The ﬁrst step is key generation: S runs /
to generate a pair of keys (pk, sk) for itself. The key generation algorithm is run locally by S. S will produce
signatures using sk, and others will verify these signatures using pk. The latter requires that anyone wishing
to verify S’s signatures must be in possession of this key pk which S has generated. Furthermore, the veriﬁer
must be assured that the public key is authentic, meaning really is the key of S and not someone else.
There are various mechanisms used to ensure that a prospective veriﬁer is in possession of an authentic public
key of the signer. These usually go under the name of key management. Very brieﬂy, here are a few options.
S might “hand” its public key to the veriﬁer. More commonly S registers pk in S’s name with some trusted
server who acts like a public phone book, and anyone wishing to obtain S’s public key requests it of the server
by sending the server the name of S and getting back the public key. Steps must be taken to ensure that this
communication too is authenticated, meaning the veriﬁer is really in communication with the legitimate server,
and that the registration process itself is authentic.
In fact key management is a topic in its own right, and needs an indepth look. We will address it later. For
the moment, what is important to grasp is the separation between problems. Namely, the key management
processes are not part of the digital signature scheme itself. In constructing and analyzing the security of digital
signature schemes, we make the assumption that any prospective veriﬁer is in possession of an authentic copy
of the public key of the signer. This assumption is made in what follows.
Once the key structure is in place, S can produce a digital signature on some document M by running o
sk
(M)
to return a signature σ. The pair (M, σ) is then the authenticated version of the document. Upon receiving a
document M
t
and tag σ
t
purporting to be from S, a receiver B veriﬁes the authenticity of the signature by using
the speciﬁed veriﬁcation procedure, which depends on the message, signature, and public key key. Namely he
184 Goldwasser and Bellare
computes 1
pk
(M
t
, σ
t
), whose value is a bit. If this value is 1, it is read as saying the data is authentic, and so
B accepts it as coming from S. Else it discards the data as unauthentic.
A viable scheme of course requires some security properties. But these are not our concern now. First we want
to pin down what constitutes a speciﬁcation of a scheme, so that we know what are the kinds of objects whose
security we want to assess.
The last part of the deﬁnition says that tags that were correctly generated will pass the veriﬁcation test. This
simply ensures that authentic data will be accepted by the receiver.
The signature algorithm might be randomized, meaning internally ﬂip coins and use these coins to determine
its output. In this case, there may be many correct tags associated to a single message M. The algorithm
might also be stateful, for example making use of a counter that is maintained by the sender. In that case the
signature algorithm will access the counter as a global variable, updating it as necessary.
Unlike encryption schemes, whose encryption algorithms must be either randomized or stateful for the scheme
to be secure, a deterministic, stateless signature algorithm is not only possible, but common.
10.5.2 A notion of security
Digital signatures aim to provide the same security property as message authentication schemes; the only change
is the more ﬂexible key structure. Accordingly, we can build on our past work in understanding and pinning
down a notion of security for message authentication; the one for digital signatures diﬀers only in that the
adversary has access to the public key.
The goal of the adversary F is forgery: It wants to produce document M and tag σ such that 1
pk
(M, σ) = 1,
but M did not originate with the sender S. The adversary is allowed a chosenmessage attack in the process
of trying to produce forgeries, and the scheme is secure if even after such an attack the adversary has low
probability of producing forgeries.
Let To = (/, o, 1) be an arbitrary digital signature scheme. Our goal is to formalize a measure a insecurity
against forgery under chosenmessage attack for this scheme. The adversary’s actions are viewed as divided
into two phases. The ﬁrst is a “learning” phase in which it is given oracle access to o
sk
(), where (pk, sk) was
a priori chosen at random according to /. It can query this oracle up to q times, in any manner it pleases,
as long as all the queries are messages in the underlying message space Plaintexts(pk) associated to this key.
Once this phase is over, it enters a “forgery” phases, in which it outputs a pair (M, σ) with M ∈ Plaintexts(pk).
The adversary is declared successful if 1
pk
(M, σ) = 1 and M was never a query made by the adversary to the
signing oracle. Associated to any adversary F is thus a success probability. (The probability is over the choice
of keys, any probabilistic choices that o might make, and the probabilistic choices, if any, that F makes.) The
insecurity of the scheme is the success probability of the “cleverest” possible adversary, amongst all adversaries
restricted in their resources to some ﬁxed amount.
Deﬁnition 10.12 Let To = (/, o, 1) be a digital signature scheme, and let A be an algorithm that has access
to an oracle and returns a pair of strings. We consider the following experiment:
Experiment Exp
ufcma
1S
A
(pk, sk)
$
← /
(M, σ) ← A
S
sk
()
(pk)
If the following are true return 1 else return 0:
– 1
pk
(M, σ) = 1
– M ∈ Messages(pk)
– M was not a query of A to its oracle
The ufcmaadvantage of A is deﬁned as
Adv
ufcma
1S
A = Pr
Exp
ufcma
1S
A = 1
.
Cryptography: Lecture Notes 185
In the case of message authentication schemes, we provided the adversary not only with an oracle for producing
tags, but also with an oracle for verifying them. Above, there is no veriﬁcation oracle. This is because veriﬁcation
of a digital signature does not depend on any quantity that is secret from the adversary. Since the adversary
has the public key and knows the algorithm 1, it can verify as much as it pleases by running the latter.
When we talk of the timecomplexity of an adversary, we mean the worst case total execution time of the entire
experiment. This means the adversary complexity, deﬁned as the worst case execution time of A plus the size
of the code of the adversary A, in some ﬁxed RAM model of computation (worst case means the maximum
over A’s coins or the answers returned in response to A’s oracle queries), plus the time for other operations
in the experiment, including the time for key generation and the computation of answers to oracle queries via
execution of the encryption algorithm.
As adversary resources, we will consider this time complexity, the message length µ, and the number of queries
q to the sign oracle. We deﬁne µ as the sum of the lengths of the oracle queries plus the length of the message
in the forgery output by the adversary. In practice, the queries correspond to messages signed by the legitimate
sender, and it would make sense that getting these examples is more expensive than just computing on one’s
own. That is, we would expect q to be smaller than t. That is why q, µ are resources separate from t.
10.5.3 Generation of RSA parameters
The RSA trapdoor permutation is widely used as the basis for digital signature schemes. Let us see how. We
begin with a piece of notation:
Deﬁnition 10.13 Let N, f ≥ 1 be integers. The RSA function associated to N, f is the function 1o/
N,f
: Z
∗
N
→
Z
∗
N
deﬁned by 1o/
N,f
(w) = w
f
mod N for all w ∈ Z
∗
N
.
The RSA function associated to N, f is thus simply exponentiation with exponent f in the group Z
∗
N
, but it is
useful in the current context to give it a new name. The following summarizes a basic property of this function.
Recall that ϕ(N) is the order of the group Z
∗
N
.
Proposition 10.14 Let N ≥ 2 and e, d ∈ Z
∗
ϕ(N)
be integers such that ed ≡ 1 (mod ϕ(N)). Then the
RSA functions 1o/
N,e
and 1o/
N,d
are both permutations on Z
∗
N
and, moreover, are inverses of each other,
ie. 1o/
−1
N,e
= 1o/
N,d
and 1o/
−1
N,d
= 1o/
N,e
.
A permutation, above, simply means a bijection from Z
∗
N
to Z
∗
N
, or, in other words, a onetoone, onto map.
The condition ed ≡ 1 (mod ϕ(N)) says that d is the inverse of e in the group Z
∗
ϕ(N)
.
Proof of Proposition 10.14: For any x ∈ Z
∗
N
, the following hold modulo N:
1o/
N,d
(1o/
N,e
(x)) ≡ (x
e
)
d
≡ x
ed
≡ x
ed mod ϕ(N)
≡ x
1
≡ x .
The third equivalence used the fact that ϕ(N) is the order of the group Z
∗
N
. The fourth used the assumed
condition on e, d. Similarly, we can show that for any y ∈ Z
∗
N
,
1o/
N,e
(1o/
N,d
(y)) ≡ y
modulo N. These two facts justify all the claims of the Proposition.
With N, e, d as in Proposition 10.14 we remark that
• For any x ∈ Z
∗
N
: 1o/
N,e
(x) = MODEXP(x, e, N) and so one can eﬃciently compute 1o/
N,e
(x) given
N, e, x.
• For any y ∈ Z
∗
N
: 1o/
N,d
(y) = MODEXP(y, d, N) and so one can eﬃciently compute 1o/
N,d
(y) given
N, d, y.
186 Goldwasser and Bellare
We now consider an adversary that is given N, e, y and asked to compute 1o/
−1
N,e
(y). If it had d, this could be
done eﬃciently by the above, but we do not give it d. It turns out that when the paremeters N, e are properly
chosen, this adversarial task appears to be computationally infeasible, and this property will form the basis of
both asymmetric encryption schemes and digital signature schemes based on RSA. Our goal in this section is to
lay the groundwork for these later applications by showing how RSA parameters can be chosen so as to make
the above claim of computational diﬃculty true, and formalizing the sense in which it is true.
Proposition 10.15 There is an O(k
2
) time algorithm that on inputs ϕ(N), e where e ∈ Z
ϕ
(N)
∗
and N < 2
k
,
returns d ∈ Z
ϕ
(N)
∗
satisfying ed ≡ 1 (mod ϕ(N)).
Proof of Proposition 10.15: Since d is the inverse of e in the group Z
∗
ϕ(N)
, the algorithm consists simply of
running MODINV(e, ϕ(N)) and returning the outcome. Recall that the modular inversion algorithm invokes
the extendedgcd algorithm as a subroutine and has running time quadratic in the bitlength of its inputs.
To choose RSA parameters, one runs a generator. We consider a few types of geneators:
Deﬁnition 10.16 A modulus generator with associated security parameter k (where k ≥ 2 is an integer) is a
randomized algorithm that takes no inputs and returns integers N, p, q satisfying:
1. p, q are distinct, odd primes
2. N = pq
3. 2
k−1
≤ N < 2
k
(ie. N has bitlength k).
An RSA generator with associated security parameter k is a randomized algorithm that takes no inputs and
returns a pair ((N, e), (N, p, q, d)) such that the three conditions above are true, and, in addition,
4. e, d ∈ Z
∗
(p−1)(q−1)
5. ed ≡ 1 (mod (p −1)(q −1))
We call N an RSA modulus, or just modulus. We call e the encryption exponent and d the decryption expo
nent.
Note that (p − 1)(q − 1) = ϕ(N) is the size of the group Z
∗
N
. So above, e, d are relatively prime to the order
of the group Z
∗
N
. As the above indicates, we are going to restrict attention to numbers N that are the product
of two distinct odd primes. Condition (4) for the RSA generator translates to 1 ≤ e, d < (p − 1)(q − 1) and
gcd(e, (p −1)(q −1)) = gcd(d, (p −1)(q −1)) = 1.
For parameter generation to be feasible, the generation algorithm must be eﬃcient. There are many diﬀerent
possible eﬃcient generators. We illustrate a few.
In modulus generation, we usually pick the primes p, q at random, with each being about k/2 bits long. The
corresponding modulus generator /
$
mod
with associated security parameter k works as follows:
Algorithm /
$
mod
1
← k/2 ;
2
← k/2
Repeat
p
$
← ¦2
1−1
, . . . , 2
1
−1¦ ; q
$
← ¦2
2−1
, . . . , 2
2
−1¦
Until the following conditions are all true:
– TESTPRIME(p) = 1 and TESTPRIME(q) = 1
– p = q
– 2
k−1
≤ N
N ← pq
Return (N, e), (N, p, q, d)
Cryptography: Lecture Notes 187
Above, TESTPRIME denotes an algorithm that takes input an integer and returns 1 or 0. It is designed
so that, with high probability, the former happens when the input is prime and the latter when the input is
composite.
Sometimes, we may want modulii product of primes having a special form, for example primes p, q such that
(p−1)/2 and (q −1)/2 are both prime. This corresponds to a diﬀerent modulus generator, which works as above
but simply adds, to the list of conditions tested to exit the loop, the conditions TESTPRIME((p −1)/2)) = 1
and TESTPRIME((q −1)/2)) = 1. There are numerous other possible modulus generators too.
An RSA generator, in addition to N, p, q, needs to generate the exponents e, d. There are several options for
this. One is to ﬁrst choose N, p, q, then pick e at random subject to gcd(N, ϕ(N)) = 1, and compute d via the
algorithm of Proposition 10.15. This randomexponent RSA generator, denoted /
$
rsa
, is detailed below:
Algorithm /
$
rsa
(N, p, q)
$
← /
$
mod
M ← (p −1)(q −1)
e
$
← Z
∗
M
Compute d by running the algorithm of Proposition 10.15 on inputs M, e
Return ((N, e), (N, p, q, d))
In order to speedup computation of 1o/
N,e
, however, we often like e to be small. To enable this, we begin by
setting e to some small prime number like 3, and then picking the other parameters appropriately. In particular
we associate to any odd prime number e the following exponente RSA generator:
Algorithm /
e
rsa
Repeat
(N, p, q)
$
← /
$
mod
(k)
Until
– e < (p −1) and e < (q −1)
– gcd(e, (p −1)) = gcd(e, (q −1)) = 1
M ← (p −1)(q −1)
Compute d by running the algorithm of Proposition 10.15 on inputs M, e
Return ((N, e), (N, p, q, d))
10.5.4 Onewayness problems
The basic assumed security property of the RSA functions is onewayness, meaning given N, e, y it is hard to
compute 1o/
−1
N,e
(y). One must be careful to formalize this properly though. The formalization chooses y at
random.
Deﬁnition 10.17 Let /
rsa
be an RSA generator with associated security parameter k, and let A be an algo
rithm. We consider the following experiment:
Experiment Exp
owkea
K
rsa
(A)
((N, e), (N, p, q, d))
$
← /
rsa
x
$
← Z
∗
N
; y ← x
e
mod N
x
t
$
← A(N, e, y)
If x
t
= x then return 1 else return 0
The owkeaadvantage of A is deﬁned as
Adv
owkea
K
rsa
(A) = Pr
Exp
owkea
K
rsa
(A) = 1
.
188 Goldwasser and Bellare
Above, “kea” stands for “knownexponent attack.” We might also allow a chosenexponent attack, abbreviated
“cea,” in which, rather than having the encryption exponent speciﬁed by the instance of the problem, one allows
the adversary to choose it. The only condition imposed is that the adversary not choose e = 1.
Deﬁnition 10.18 Let /
mod
be a modulus generator with associated security parameter k, and let A be an
algorithm. We consider the following experiment:
Experiment Exp
owcea
K
rsa
(A)
(N, p, q)
$
← /
mod
y
$
← Z
∗
N
(x, e)
$
← A(N, y)
If x
e
≡ y (mod N) and e > 1
then return 1 else return 0.
The owceaadvantage of A is deﬁned as
Adv
owcea
K
mod
(A) = Pr
Exp
owcea
K
mod
(A) = 1
.
10.5.5 Trapdoor signatures
Trapdoor signatures represent the most direct way in which to attempt to build on the onewayness of 1o/
in order to sign. We believe that the signer, being in possession of the secret key N, d, is the only one who
can compute the inverse RSA function 1o/
−1
N,e
= 1o/
N,d
. For anyone else, knowing only the public key N, e,
this task is computationally infeasible. Accordingly, the signer signs a message by performing on it this “hard”
operation. This requires that the message be a member of Z
∗
N
, which, for convenience, is assumed. It is possible
to verify a signature by performing the “easy” operation of computing 1o/
N,e
on the claimed signature and
seeing if we get back the message.
More precisely, let /
rsa
be an RSA generator with associated security parameter k, as per Deﬁnition 10.16. We
consider the digital signature scheme To = (/
rsa
, o, 1) whose signing and verifying algorithms are as follows:
Algorithm o
N,p,q,d
(M)
If M ∈ Z
∗
N
then return ⊥
x ← M
d
mod N
Return x
Algorithm 1
N,e
(M, x)
If (M ∈ Z
∗
N
or x ∈ Z
∗
N
) then return 0
If M = x
e
mod N then return 1 else return 0
This is a deterministic stateless scheme, and the message space for public key (N, e) is Messages(N, e) = Z
∗
N
,
meaning the only messages that the signer signs are those which are elements of the group Z
∗
N
. In this scheme
we have denoted the signature of M by x. The signing algorithm simply applies 1o/
N,d
to the message to get
the signature, and the verifying algorithm applies 1o/
N,e
to the signature and tests whether the result equals
the message.
The ﬁrst thing to check is that signatures generated by the signing algorithm pass the veriﬁcation test. This is
true because of Proposition 10.14, which tells us that if x = M
d
mod N then x
e
= M mod N.
Now, how secure is this scheme? As we said above, the intuition behind it is that the signing operation
should be something only the signer can perform, since computing 1o/
−1
N,e
(M) is hard without knowledge of
d. However, what one should remember is that the formal assumed hardness property of RSA, namely one
wayness under knownexponent attack (we call it just onewayness henceforth) as speciﬁed in Deﬁnition 10.17,
is under a very diﬀerent model and setting than that of security for signatures. Onewayness tells us that if we
select M at random and then feed it to an adversary (who knows N, e but not d) and ask the latter to ﬁnd
x = 1o/
−1
N,e
(M), then the adversary will have a hard time succeeding. But the adversary in a signature scheme
is not given a random message M on which to forge a signature. Rather, its goal is to create a pair (M, x) such
that 1
N,e
(M, x) = 1. It does not have to try to imitate the signing algorithm; it must only do something that
Cryptography: Lecture Notes 189
satisﬁes the veriﬁcation algorithm. In particular it is allowed to choose M rather than having to sign a given
or random M. It is also allowed to obtain a valid signature on any message other than the M it eventually
outputs, via the signing oracle, corresponding in this case to having an oracle for 1o/
−1
N,e
(). These features
make it easy for an adversary to forge signatures.
A couple of simple forging strategies are illustrated below. The ﬁrst is to simply output the forgery in which
the message and signature are both set to 1. The second is to ﬁrst pick at random a value that will play the
role of the signature, and then compute the message based on it:
Forger F
S
N,p,q,d
()
1
(N, e)
Return (1, 1)
Forger F
S
N,p,q,d
()
2
(N, e)
x
$
← Z
∗
N
; M ← x
e
mod N
Return (M, x)
These forgers makes no queries to their signing oracles. We note that 1
e
≡ 1 (mod N), and hence the ufcma
advantage of F
1
is 1. Similarly, the value (M, x) returned by the second forger satisﬁes x
e
mod N = M and
hence it has ufcmaadvantage 1 too. The timecomplexity in both cases is very low. (In the second case, the
forger uses the O(k
3
) time to do its exponentiation modulo N.) So these attacks indicate the scheme is totally
insecure.
The message M whose signature the above forger managed to forge is random. This is enough to break the
scheme as per our deﬁnition of security, because we made a very strong deﬁnition of security. Actually for this
scheme it is possible to even forge the signature of a given message M, but this time one has to use the signing
oracle. The attack relies on the multiplicativity of the RSA function.
Forger F
S
N,e
()
(N, e)
M
1
$
← Z
∗
N
−¦1, M¦ ; M
2
← MM
−1
1
mod N
x
1
← o
N,e
(M
1
) ; x
2
← o
N,e
(M
2
)
x ← x
1
x
2
mod N
Return (M, x)
Given M the forger wants to compute a valid signature x for M. It creates M
1
, M
2
as shown, and obtains
their signatures x
1
, x
2
. It then sets x = x
1
x
2
mod N. Now the veriﬁcation algorithm will check whether
x
e
mod N = M. But note that
x
e
≡ (x
1
x
2
)
e
≡ x
e
1
x
e
2
≡ M
1
M
2
≡ M (mod N) .
Here we used the multiplicativity of the RSA function and the fact that x
i
is a valid signature of M
i
for i = 1, 2.
This means that x is a valid signature of M. Since M
1
is chosen to not be 1 or M, the same is true of M
2
, and
thus M was not an oracle query of F. So F succeeds with probability one.
These attacks indicate that there is more to signatures than onewayness of the underlying function.
10.5.6 The hashtheninvert paradigm
Realworld RSA based signature schemes need to surmount the above attacks, and also attend to other imprac
ticalities of the trapdoor setting. In particular, messages are not usually group elements; they are possibly long
ﬁles, meaning bit strings of arbitrary lengths. Both issues are typically dealt with by preprocessing the given
message M via a hash function to yield a point y in the range of 1o/
N,e
, and then applying 1o/
−1
N,e
to y to
obtain the signature. The hash function is public, meaning its description is known, and anyone can compute
it.
To make this more precise, let /
rsa
be an RSA generator with associated security parameter k and let Keys be
the set of all modulli N that have positive probability to be output by /
rsa
. Let Hash be a family of functions
whose keyspace is Keys and such that Hash
N
: ¦0, 1¦
∗
→ Z
∗
N
for every N ∈ Keys. Let To = (/
rsa
, o, 1) be the
digital signature scheme whose signing and verifying algorithms are as follows:
190 Goldwasser and Bellare
Algorithm o
N,p,q,d
(M)
y ← Hash
N
(M)
x ← y
d
mod N
Return x
Algorithm 1
N,e
(M, x)
y ← Hash
N
(M)
y
t
← x
e
mod N
If y = y
t
then return 1 else return 0
Let us see why this might help resolve the weaknesses of trapdoor signatures, and what requirements security
imposes on the hash function.
Let us return to the attacks presented on the trapdoor signature scheme above. Begin with the ﬁrst forger
we presented, who simply output (1, 1). Is this an attack on our new scheme? To tell, we see what happens
when the above veriﬁcation algorithm is invoked on input 1, 1. We see that it returns 1 only if Hash
N
(1) ≡ 1
e
(mod N). Thus, to prevent this attack it suﬃces to ensure that Hash
N
(1) = 1. The second forger we had
previously set M to x
e
mod N for some random x ∈ Z
∗
N
. What is the success probability of this strategy under
the hashtheninvert scheme? The forger wins if x
e
mod N = Hash(M) (rather than merely x
e
mod N = M
as before). The hope is that with a “good” hash function, it is very unlikely that x
e
mod N = Hash
N
(M).
Consider now the third attack we presented above, which relied on the multiplicativity of the RSA function.
For this attack to work under the hashtheninvert scheme, it would have to be true that
Hash
N
(M
1
) Hash
N
(M
2
) ≡ Hash
N
(M) (mod N) . (10.1)
Again, with a “good” hash function, we would hope that this is unlikely to be true.
The hash function is thus supposed to “destroy” the algebraic structure that makes attacks like the above
possible. How we might ﬁnd one that does this is something we have not addressed.
While the hash function might prevent some attacks that worked on the trapdoor scheme, its use leads to a new
line of attack, based on collisions in the hash function. If an adversary can ﬁnd two distinct messages M
1
, M
2
that hash to the same value, meaning Hash
N
(M
1
) = Hash
N
(M
2
), then it can easily forge signatures, as follows:
Forger F
S
N,p,q,d
()
(N, e)
x
1
← o
N,p,q,d
(M
1
)
Return (M
2
, x
1
)
This works because M
1
, M
2
have the same signature. Namely because x
1
is a valid signature of M
1
, and because
M
1
, M
2
have the same hash value, we have
x
e
1
≡ Hash
N
(M
1
) ≡ Hash
N
(M
2
) (mod N) ,
and this means the veriﬁcation procedure will accept x
1
as a signature of M
2
. Thus, a necessary requirement
on the hash function Hash is that it be CR2KK, meaning given N it should be computationally infeasible to
ﬁnd distinct values M, M
t
such that Hash
N
(M) = Hash
N
(M
t
).
Below we will go on to more concrete instantiations of the hashtheninvert paradigm. But before we do that,
it is important to try to assess what we have done so far. Above, we have pinpointed some features of the
hash function that are necessary for the security of the signature scheme. Collisionresistance is one. The other
requirement is not so well formulated, but roughly we want to destroy algebraic structure in such a way that
Equation (10.1), for example, should fail with high probability. Classical design focuses on these attacks and
associated features of the hash function, and aims to implement suitable hash functions. But if you have been
understanding the approaches and viewpoints we have been endeavoring to develop in this class and notes, you
should have a more critical perspective. The key point to note is that what we need is not really to pinpoint
necessary features of the hash function to prevent certain attacks, but rather to pinpoint suﬃcient features of
the hash function, namely features suﬃcient to prevent all attacks, even ones that have not yet been conceived.
And we have not done this. Of course, pinning down necessary features of the hash function is useful to gather
intuition about what suﬃcient features might be, but it is only that, and we must be careful to not be seduced
into thinking that it is enough, that we have identiﬁed all the concerns. Practice proves this complacence wrong
again and again.
How can we hope to do better? Return to the basic philosophy of provable security. We want assurance that
the signature scheme is secure under the assumption that its underlying primitives are secure. Thus we must
try to tie the security of the signature scheme to the security of RSA as a oneway function, and some security
condition on the hash function. With this in mind, let us proceed to examine some suggested solutions.
Cryptography: Lecture Notes 191
10.5.7 The PKCS #1 scheme
RSA corporation has been one of the main sources of software and standards for RSA based cryptography. RSA
Labs (now a part of Security Dynamics Corporation) has created a set of standards called PKCS (Public Key
Cryptography Standards). PKCS #1 is about signature (and encryption) schemes based on the RSA function.
This standard is in wide use, and accordingly it will be illustrative to see what they do.
The standard uses the hashtheninvert paradigm, instantiating Hash via a particular hash function PKCSHash
which we now describe. Recall we have already discussed collisionresistant hash functions. Let us ﬁx a function
h: ¦0, 1¦
∗
→ ¦0, 1¦
l
where l ≥ 128 and which is “collisionresistant” in the sense that nobody knows how to ﬁnd
any pair of distinct points M, M
t
such that h(M) = h(M
t
). Currently the role tends to be played by SHA1,
so that l = 160. Prior to that it was MD5, which has l = 128. The RSA PKCS #1 standard deﬁnes
PKCSHash
N
(M) = 00 01 FF FF FF FF 00h(M) .
Here  denotes concatenation, and enough FFbytes are inserted that the length of PKCSHash
N
(M) is equal to
k bits. Note the the ﬁrst four bits of the hash output are zero, meaning as an integer it is certainly at most N,
and thus most likely in Z
∗
N
, since most numbers between 1 and N are in Z
∗
N
. Also note that ﬁnding collisions
in PKCSHash is no easier than ﬁnding collisions in h, so if the latter is collisionresistant then so is the former.
Recall that the signature scheme is exactly that of the hashtheninvert paradigm. For concreteness, let us
rewrite the signing and verifying algorithms:
Algorithm o
N,p,q,d
(M)
y ← PKCSHash
N
(M)
x ← y
d
mod N
Return x
Algorithm 1
N,e
(M, x)
y ← PKCSHash
N
(M)
y
t
← x
e
mod N
If y = y
t
then return 1 else return 0
Now what about the security of this signature scheme? Our ﬁrst concern is the kinds of algebraic attacks we
saw on trapdoor signatures. As discussed in Section 10.5.6, we would like that relations like Equation (10.1)
fail. This we appear to get; it is hard to imagine how PKCSHash
N
(M
1
) PKCSHash
N
(M
2
) mod N could have
the speciﬁc structure required to make it look like the PKCShash of some message. This isn’t a proof that the
attack is impossible, of course, but at least it is not evident.
This is the point where our approach departs from the classical attackbased design one. Under the latter, the
above scheme is acceptable because known attacks fail. But looking deeper there is cause for concern. The
approach we want to take is to see how the desired security of the signature scheme relates to the assumed or
understood security of the underlying primitive, in this case the RSA function.
We are assuming 1o/ is oneway, meaning it is computationally infeasible to compute 1o/
−1
N,e
(y) for a ran
domly chosen point y ∈ Z
∗
N
. On the other hand, the points to which 1o/
−1
N,e
is applied in the signature scheme
are those in the set S
N
= ¦ PKCSHash
N
(M) : M ∈ ¦0, 1¦
∗
¦. The size of S
N
is at most 2
l
since h outputs l
bits and the other bits of PKCSHash
N
() are ﬁxed. With SHA1 this means [S
N
[ ≤ 2
160
. This may seem like
quite a big set, but within the RSA domain Z
∗
N
it is tiny. For example when k = 1024, which is a recommended
value of the security parameter these days, we have
[S
N
[
[Z
∗
N
[
≤
2
160
2
1023
=
1
2
863
.
This is the probability with which a point chosen randomly from Z
∗
N
lands in S
N
. For all practical purposes, it
is zero. So RSA could very well be oneway and still be easy to invert on S
N
, since the chance of a random point
landing in S
N
is so tiny. So the security of the PKCS scheme cannot be guaranteed solely under the standard
onewayness assumption on RSA. Note this is true no matter how “good” is the underlying hash function h (in
this case SHA1) which forms the basis for PKCSHash. The problem is the design of PKCSHash itself, in
particular the padding.
The security of the PKCS signature scheme would require the assumption that RSA is hard to invert on the set
S
N
, a miniscule fraction of its full range. (And even this would be only a necessary, but not suﬃcient condition
for the security of the signature scheme.)
192 Goldwasser and Bellare
Let us try to clarify and emphasize the view taken here. We are not saying that we know how to attack the
PKCS scheme. But we are saying that an absence of known attacks should not be deemed a good reason to
be satisﬁed with the scheme. We can identify “design ﬂaws,” such as the way the scheme uses RSA, which is
not in accordance with our understanding of the security of RSA as a oneway function. And this is cause for
concern.
10.5.8 The FDH scheme
From the above we see that if the hashtheninvert paradigm is to yield a signature scheme whose security can
be based on the onewayness of the 1o/ function, it must be that the points y on which 1o/
−1
N,e
is applied
in the scheme are random ones. In other words, the output of the hash function must always “look random”.
Yet, even this only highlights a necessary condition, not (as far as we know) a suﬃcient one.
We now ask ourselves the following question. Suppose we had a “perfect” hash function Hash. In that case, at
least, is the hashtheninvert signature scheme secure? To address this we must ﬁrst decide what is a “perfect”
hash function. The answer is quite natural: one that is random, namely returns a random answer to any query
except for being consistent with respect to past queries. (We will explain more how this “random oracle” works
later, but for the moment let us continue.) So our question becomes: in a model where Hash is perfect, can we
prove that the signature scheme is secure if 1o/ is oneway?
This is a basic question indeed. If the hashtheninvert paradigm is in any way viable, we really must be able
to prove security in the case the hash function is perfect. Were it not possible to prove security in this model
it would be extremely inadvisable to adopt the hashtheninvert paradigm; if it doesn’t work for a perfect hash
function, how can we expect it to work in any real world setting?
Accordingly, we now focus on this “thought experiment” involving the use of the signature scheme with a perfect
hash function. It is a thought experiment because no speciﬁc hash function is perfect. Our “hash function” is
no longer ﬁxed, it is just a box that ﬂips coins. Yet, this thought experiment has something important to say
about the security of our signing paradigm. It is not only a key step in our understanding but will lead us to
better concrete schemes as we will see later.
Now let us say more about perfect hash functions. We assume that Hash returns a random member of Z
∗
N
every time it is invoked, except that if twice invoked on the same message, it returns the same thing both
times. In other words, it is an instance of a random function with domain ¦0, 1¦
∗
and range Z
∗
N
. We have seen
such objects before, when we studied pseudorandomness: remember that we deﬁned pseudorandom functions
by considering experiments involving random functions. So the concept is not new. We call Hash a random
oracle, and denote it by H in this context. It is accessible to all parties, signer, veriﬁers and adversary, but
as an oracle. This means it is only accessible across a speciﬁed interface. To compute H(M) a party must
make an oracle call. This means it outputs M together with some indication that it wants H(M) back, and an
appropriate value is returned. Speciﬁcally it can output a pair (hash, M), the ﬁrst component being merely a
formal symbol used to indicate that this is a hashoracle query. Having output this, the calling algorithm waits
for the answer. Once the value H(M) is returned, it continues its execution.
The best way to think about H is as a dynamic process which maintains a table of inputoutput pairs. Every
time a query (hash, M) is made, the process ﬁrst checks if its table contains a pair of the form (M, y) for some
y, and if so, returns y. Else it picks a random y in Z
∗
N
, puts (M, y) into the table, and returns y as the answer
to the oracle query.
We consider the above hashtheninvert signature scheme in the model where the hash function Hash is a random
oracle H. This is called the Full Domain Hash (FDH) scheme. More precisely, let /
rsa
be an RSA generator
with associated security parameter k. The FDHRSA signature scheme associated to /
rsa
is the digital signature
scheme To = (/
rsa
, o, 1) whose signing and verifying algorithms are as follows:
Algorithm o
H()
N,p,q,d
(M)
y ← H(M)
x ← y
d
mod N
Return x
Algorithm 1
H()
N,e
(M, x)
y ← H(M)
y
t
← x
e
mod N
If y = y
t
then return 1 else return 0
Cryptography: Lecture Notes 193
The only change with respect to the way we wrote the algorithms for the generic hashtheninvert scheme of
Section 10.5.6 is notational: we write H as a superscript to indicate that it is an oracle accessible only via
the speciﬁed oracle interface. The instruction y ← H(M) is implemented by making the query (hash, M) and
letting y denote the answer returned, as discussed above.
We now ask ourselves whether the above signature scheme is secure under the assumption that 1o/ is oneway.
To consider this question we ﬁrst need to extend our deﬁnitions to encompass the new model. The key diﬀerence
is that the success probability of an adversary is taken over the random choice of H in addition to the random
choices previously considered. The forger F as before has access to a signing oracle, but now also has access to
H. Furthermore, o and 1 now have access to H. Let us ﬁrst write the experiment that measures the success
of forger F and then discuss it more.
Experiment Exp
ufcma
1S
F
((N, e), (N, p, q, d))
$
← /
rsa
H
$
← Func(¦0, 1¦
∗
,Z
∗
N
)
(M, x)
$
← F
H(),S
H(·)
N,p,q,d
()
(N, e)
If the following are true return 1 else return 0:
– 1
H
pk
(M, σ) = 1
– M was not a query of A to its oracle
Note that the forger is given oracle access to H in addition to the usual access to the sign oracle that models
a chosenmessage attack. After querying its oracles some number of times the forger outputs a message M and
candidate signature x for it. We say that F is successful if the veriﬁcation process would accept M, x, but F
never asked the signing oracle to sign M. (F is certainly allowed to make hash query M, and indeed it is hard
to imagine how it might hope to succeed in forgery otherwise, but it is not allowed to make sign query M.) The
ufcmaadvantage of A is deﬁned as
Adv
ufcma
1S
A = Pr
Exp
ufcma
1S
A = 1
.
We will want to consider adversaries with timecomplexity at most t, making at most q
sig
sign oracle queries and
at most q
hash
hash oracle queries, and with total query message length µ. Resources refer again to those of the
entire experiment. We ﬁrst deﬁne the execution time as the time taken by the entire experiment Exp
ufcma
1S
F.
This means it includes the time to compute answers to oracle queries, to generate the keys, and even to verify
the forgery. Then the timecomplexity t is supposed to upper bound the execution time plus the size of the
code of F. In counting hash queries we again look at the entire experiment and ask that the total number of
queries to H here be at most q
hash
. Included in the count are the direct hash queries of F, the indirect hash
queries made by the signing oracle, and even the hash query made by the veriﬁcation algorithm in the last step.
This latter means that q
hash
is always at least the number of hash queries required for a veriﬁcation, which
for FDHRSA is one. In fact for FDHRSA we will have q
hash
≥ q
sig
+ 1, something to be kept in mind when
interpreting later results. Finally µ is the sum of the lengths of all messages in sign queries plus the length of
the ﬁnal output message M.
However, there is one point that needs to be clariﬁed here, namely that if timecomplexity refers to that of the
entire experiment, how do we measure the time to pick H at random? It is an inﬁnite object and thus cannot
be actually chosen in ﬁnite time. The answer is that although we write H as being chosen at random upfront
in the experiment, this is not how it is implemented. Instead, imagine H as being chosen dynamically. Think
of the process implementing the table we described, so that random choices are made only at the time the H
oracle is called, and the cost is that of maintaining and updating a table that holds the values of H on inputs
queried so far. Namely when a query M is made to H, we charge the cost of looking up the table, checking
whether H(M) was already deﬁned and returning it if so, else picking a random point from Z
∗
N
, putting it in
the table with index M, and returning it as well.
In this setting we claim that the FDHRSA scheme is secure. The following theorem upper bounds its ufcma
advantage solely in terms of the owkea advantage of the underlying RSA generator.
194 Goldwasser and Bellare
Theorem 10.19 Let /
rsa
be an RSA generator with associated security parameter k, and let To be the FDH
RSA scheme associated to /
rsa
. Let F be an adversary making at most q
hash
queries to its hash oracle and at
most q
sig
queries to its signing oracle where q
hash
≥ 1 +q
sig
. Then there exists an adversary I such that
Adv
ufcma
1S
F ≤ q
hash
Adv
owkea
K
rsa
(I) . (10.2)
and I, F are of comparable resources.
The theorem says that the only way to forge signatures in the FDHRSA scheme is to try to invert the RSA
function on random points. There is some loss in security: it might be that the chance of breaking the signature
scheme is larger than that of inverting RSA in comparable time, by a factor of the number of hash queries made
in the forging experiment. But we can make Adv
owkea
K
rsa
(t
t
) small enough that even q
hash
Adv
owkea
K
rsa
(t
t
) is small,
by choosing a larger modulus size k.
One must remember the caveat: this is in a model where the hash function is random. Yet, even this tells
us something, namely that the hashtheninvert paradigm itself is sound, at least for “perfect” hash functions.
This puts us in a better position to explore concrete instantiations of the paradigm.
Let us now proceed to the proof of Theorem 10.19. Remember that inverter I takes as input (N, e), describing
1o/
N,e
, and also a point y ∈ Z
∗
N
. Its job is to try to output 1o/
−1
N,e
(y) = y
d
mod N, where d is the decryption
exponent corresponding to encryption exponent e. Of course, neither d nor the factorization of N are available
to I. The success of I is measured under a random choice of ((N, e), (N, p, q, d)) as given by /
rsa
, and also a
random choice of y from Z
∗
N
. In order to accomplish its task, I will run F as a subroutine, on input public
key (N, e), hoping somehow to use F’s ability to forge signatures to ﬁnd 1o/
−1
N,e
(y). Before we discuss how I
might hope to use the forger to determine the inverse of point y, we need to take a closer look at what it means
to run F as a subroutine.
Recall that F has access to two oracles, and makes calls to them. At any point in its execution it might output
(hash, M). It will then wait for a return value, which it interprets as H(M). Once this is received, it continues
its execution. Similarly it might output (sign, M) and then wait to receive a value it interprets as o
H()
N,p,q,d
(M).
Having got this value, it continues. The important thing to understand is that F, as an algorithm, merely
communicates with oracles via an interface. It does not control what these oracles return. You might think of
an oracle query like a system call. Think of F as writing an oracle query M at some speciﬁc prescribed place
in memory. Some process is expected to put in another prescribed place a value that F will take as the answer.
F reads what is there, and goes on.
When I executes F, no oracles are actually present. F does not know that. It will at some point make an
oracle query, assuming the oracles are present, say query (hash, M). It then waits for an answer. If I wants to
run F to completion, it is up to I to provide some answer to F as the answer to this oracle query. F will take
whatever it is given and go on executing. If I cannot provide an answer, F will not continue running; it will
just sit there, waiting. We have seen this idea of “simulation” before in several proofs: I is creating a “virtual
reality” under which F can believe itself to be in its usual environment.
The strategy of I will be to take advantage of its control over responses to oracle queries. It will choose them
in strange ways, not quite the way they were chosen in Experiment Exp
ufcma
1S
F. Since F is just an algorithm,
it processes whatever it receives, and eventually will halt with some output, a claimed forgery (M, x). By
clever choices of replies to oracle queries, I will ensure that F is fooled into not knowing that it is not really in
Exp
ufcma
1S
F, and furthermore x will be the desired inverse of y. Not always, though; I has to be lucky. But it
will be lucky often enough.
We begin by consider the case of a very simple forger F. It makes no sign queries and exactly one hash query
(hash, M). It then outputs a pair (M, x) as the claimed forgery, the message M being the same in the hash
query and the forgery. (In this case we have q
sig
= 0 and q
hash
= 2, the last due to the hash query of F and
the ﬁnal veriﬁcation query in the experiment.) Now if F is successful then x is a valid signature of M, meaning
x
e
≡ H(M) mod N, or, equivalently, x ≡ H(M)
d
mod N. Somehow, F has found the inverse of H(M), the
value returned to it as the response to oracle query M. Now remember that I’s goal had been to compute
y
d
mod N where y was its given input. A natural thought suggests itself: If F can invert 1o/
N,e
at H(M),
then I will “set” H(M) to y, and thereby obtain the inverse of y under 1o/
N,e
. I can set H(M) in this way
because it controls the answers to oracle queries. When F makes query (hash, M), the inverter I will simply
Cryptography: Lecture Notes 195
return y as the response. If F then outputs a valid forgery (M, x), we have x = y
d
mod N, and I can output x,
its job done.
But why would F return a valid forgery when it got y as its response to hash query M? Maybe it will refuse
this, saying it will not work on points supplied by an inverter I. But this will not happen. F is simply an
algorithm and works on whatever it is given. What is important is solely the distribution of the response. In
Experiment Exp
ufcma
1S
F the response to (hash, M) is a random element of Z
∗
N
. But y has exactly the same
distribution, because that is how it is chosen in the experiment deﬁning the success of I in breaking 1o/ as
a oneway function. So F cannot behave any diﬀerently in this virtual reality than it could in its real world;
its probability of returning a valid forgery is still Adv
ufcma
1S
F. Thus for this simple F the success probability
of the inverter in ﬁnding y
d
mod N is exactly the same as the success probability of F in forging signatures.
Equation (10.2) claims less, so we certainly satisfy it.
However, most forgers will not be so obliging as to make no sign queries, and just one hash query consisting of
the very message in their forgery. I must be able to handle any forger.
Inverter I will deﬁne a pair of subroutines, HSim (called the hash oracle simulator) and oSim (called the
sign oracle simulator) to play the role of the hash and sign oracles respectively. Namely, whenever F makes
a query (hash, M) the inverter I will return HSim(M) to F as the answer, and whenever F makes a query
(sign, M) the inverter I will return oSim(M) to F as the answer. (The oSim routine will additionally invoke
HSim.) As it executes, I will build up various tables (arrays) that “deﬁne” H. For j = 1, . . . , q
hash
, the jth
string on which H is called in the experiment (either directly due to a hash query by F, indirectly due to a
sign query by F, or due to the ﬁnal veriﬁcation query) will be recorded as Msg[j]; the response returned by the
hash oracle simulator to Msg[j] is stored as Y [j]; and if Msg[j] is a sign query then the response returned to F
as the “signature” is X[j]. Now the question is how I deﬁnes all these values.
Suppose the jth hash query in the experiment arises indirectly, as a result of a sign query (sign, Msg[j]) by
F. In Experiment Exp
ufcma
1S
F the forger will be returned H(Msg[j])
d
mod N. If I wants to keep F running
it must return something plausible. What could I do? It could attempt to directly mimic the signing process,
setting Y [j] to a random value (remember Y [j] plays the role of H(Msg[j])) and returning (Y [j])
d
mod N. But
it won’t be able to compute the latter since it is not in possesion of the secret signing exponent d. The trick,
instead, is that I ﬁrst picks a value X[j] at random in Z
∗
N
and sets Y [j] = (X[j])
e
mod N. Now it can return
X[j] as the answer to the sign query, and this answer is accurate in the sense that the veriﬁcation relation
(which F might check) holds: we have Y [j] ≡ (X[j])
e
mod N.
This leaves a couple of loose ends. One is that we assumed above that I has the liberty of deﬁning Y [j] at
the point the sign query was made. But perhaps Msg[j] = Msg[l] for some l < j due to there having been a
hash query involving this same message in the past. Then the hash value Y [j] is already deﬁned, as Y [l], and
cannot be changed. This can be addressed quite simply however: for any hash query Msg[l], the hash simulator
can follow the above strategy of setting the reply Y [l] = (X[l])
e
mod N at the time the hash query is made,
meaning it prepares itself ahead of time for the possibility that Msg[l] is later a sign query. Maybe it will not
be, but nothing is lost.
Well, almost. Something is lost, actually. A reader who has managed to stay awake so far may notice that
we have solved two problems: how to use F to ﬁnd y
d
mod N where y is the input to I, and how to simulate
answers to sign and hash queries of F, but that these processes are in conﬂict. The way we got y
d
mod N was
by returning y as the answer to query (hash, M) where M is the message in the forgery. However, we do not
know beforehand which message in a hash query will be the one in the forgery. So it is diﬃcult to know how to
answer a hash query Msg[j]; do we return y, or do we return (X[j])
e
mod N for some X[j]? If we do the ﬁrst,
we will not be able to answer a sign query with message Msg[j]; if we do the second, and if Msg[j] equals the
message in the forgery, we will not ﬁnd the inverse of y. The answer is to take a guess as to which to do. There
is some chance that this guess is right, and I succeeds in that case.
Speciﬁcally, notice that Msg[q
hash
] = M is the message in the forgery by deﬁnition since Msg[q
hash
] is the message
in the ﬁnal veriﬁcation query. The message M might occur more than once in the list, but it occurs at least once.
Now I will choose a random i in the range 1 ≤ i ≤ q
hash
and respond by y to hash query (hash, Msg[i]). To all
other queries j it will respond by ﬁrst picking X[j] at random in Z
∗
N
and setting H(Msg[j]) = (X[j])
e
mod N.
The forged message M will equal Msg[i] with probability at least 1/q
hash
and this will imply Equation (10.2).
Below we summarize these ideas as a proof of Theorem 10.19.
196 Goldwasser and Bellare
It is tempting from the above description to suggest that we always choose i = q
hash
, since Msg[q
hash
] = M by
deﬁnition. Why won’t that work? Because M might also have been equal to Msg[j] for some j < q
hash
, and if
we had set i = q
hash
then at the time we want to return y as the answer to M we ﬁnd we have already deﬁned
H(M) as something else and it is too late to change our minds.
Proof of Theorem 10.19: We ﬁrst decribe I in terms of two subroutines: a hash oracle simulator HSim()
and a sign oracle simulator oSim(). It takes inputs N, e, y where y ∈ Z
∗
N
and maintains three tables, Msg, X
and Y , each an array with index in the range from 1 to q
hash
. It picks a random index i. All these are global
variables which will be used also be the subroutines. The intended meaning of the array entries is the following,
for j = 1, . . . , q
hash
–
Msg[j] – The jth hash query in the experiment
Y [j] – The reply of the hash oracle simulator to the above, meaning the value
playing the role of H(Msg[j]). For j = i it is y.
X[j] – For j = i, the response to sign query Msg[j], meaning it satisﬁes
(X[j])
e
≡ Y [j] (mod N). For j = i it is undeﬁned.
The code for the inverter is below.
Inverter I(N, e, y)
Initialize arrays Msg[1 . . . q
hash
], X[1 . . . q
hash
], Y [1 . . . q
hash
] to empty
j ← 0 ; i
$
← ¦1, . . . , q
hash
¦
Run F on input (N, e)
If F makes oracle query (hash, M)
then h ← HSim(M) ; return h to F as the answer
If F makes oracle query (sign, M)
then x ← oSim(M) ; return x to F as the answer
Until F halts with output (M, x)
y
t
← HSim(M)
Return x
The inverter responds to oracle queries by using the appropriate subroutines. Once it has the claimed forgery,
it makes the corresponding hash query and then returns the signature x.
We now describe the hash oracle simulator. It makes reference to the global variables instantiated in in the
main code of I. It takes as argument a value v which is simply some message whose hash is requested either
directly by F or by the sign simulator below when the latter is invoked by F.
We will make use of a subroutine Find that given an array A, a value v and index m, returns 0 if v ∈
¦A[1], . . . , A[m]¦, and else returns the smallest index l such that v = A[l].
Subroutine HSim(v)
l ← Find(Msg, v, j) ; j ← j + 1 ; Msg[j] ← v
If l = 0 then
If j = i then Y [j] ← y
Else X[j]
$
← Z
∗
N
; Y [j] ← (X[j])
e
mod N
EndIf
Return Y [j]
Else
If j = i then abort
Else X[j] ← X[l] ; Y [j] ← Y [l] ; Return Y [j]
EndIf
EndIf
Cryptography: Lecture Notes 197
The manner in which the hash queries are answered enables the following sign simulator.
Subroutine oSim(M)
h ← HSim(M)
If j = i then abort
Else return X[j]
EndIf
Inverter I might abort execution due to the “abort” instruction in either subroutine. The ﬁrst such situation is
that the hash oracle simulator is unable to return y as the response to the ith hash query because this query
equals a previously replied to query. The second case is that F asks for the signature of the message which is
the ith hash query, and I cannot provide that since it is hoping the ith message is the one in the forgery and
has returned y as the hash oracle response.
Now we need to lower bound the owkeaadvantage of I with respect to /
rsa
. There are a few observations
involved in verifying the bound claimed in Equation (10.2). First that the “view” of F at any time at which I
has not aborted is the “same” as in Experiment Exp
ufcma
1S
F. This means that the answers being returned to F
by I are distributed exactly as they would be in the real experiment. Second, F gets no information about the
value i that I chooses at random. Now remember that the last hash simulator query made by I is the message M
in the forgery, so M is certainly in the array Msg at the end of the execution of I. Let l = Find(Msg, M, q
hash
)
be the ﬁrst index at which M occurs, meaning Msg[l] = M but no previous message is M. The random choice
of i then means that there is a 1/q
hash
chance that i = l, which in turn means that Y [i] = y and the hash oracle
simulator won’t abort. If x is a correct signature of M we will have x
e
≡ Y [i] (mod N) because Y [i] is H(M)
from the point of view of F. So I is successful whenever this happens.
10.5.9 PSS0: A security improvement
The FDHRSA signature scheme has the attractive security attribute of possessing a proof of security under
the assumption that 1o/ is a oneway function, albeit in the random oracle model. However the quantitative
security as given by Theorem 10.19 could be better. The theorem leaves open the possibility that one could
forge signatures with a probability that is q
hash
times the probability of being able to invert the 1o/ function
at a random point, the two actions being measured with regard to adversaries with comparable execution time.
Since q
hash
could be quite large, say 2
60
, there is an appreciable loss in security here. We now present a scheme
in which the security relation is much tighter: the probability of signature forgery is not appreciably higher
than that of being able to invert 1o/ in comparable time.
The scheme is called PSS0, for “probabilistic signature scheme, version 0”, to emphasize a key aspect of it,
namely that it is randomized: the signing algorithm picks a new random value each time it is invoked and uses
that to compute signatures. The scheme To = (/
rsa
, o, 1), like FDHRSA, makes use of a public hash function
H: ¦0, 1¦
∗
→ Z
∗
N
which is modeled as a random oracle. Additonally it has a parameter s which is the length of
the random value chosen by the signing algorithm. We write the signing and verifying algorithms as follows:
Algorithm o
H()
N,p,q,d
(M)
r
$
← ¦0, 1¦
s
y ← H(rM)
x ← y
d
mod N
Return (r, x)
Algorithm 1
H()
N,e
(M, σ)
Parse σ as (r, x) where [r[ = s
y ← H(rM)
If x
e
mod N = y
Then return 1 else return 0
Obvious “range checks” are for simplicity not written explicitly in the veriﬁcation code; for example in a real
implementation the latter should check that 1 ≤ x < N and gcd(x, N) = 1.
This scheme may still be viewed as being in the “hashtheninvert” paradigm, except that the hash is randomized
via a value chosen by the signing algorithm. If you twice sign the same message, you are likely to get diﬀerent
signatures. Notice that random value r must be included in the signature since otherwise it would not be
198 Goldwasser and Bellare
possible to verify the signature. Thus unlike the previous schemes, the signature is not a member of Z
∗
N
; it is a
pair one of whose components is an sbit string and the other is a member of Z
∗
N
. The length of the signature is
s+k bits, somewhat longer than signatures for deterministic hashtheninvert signature schemes. It will usually
suﬃce to set l to, say, 160, and given that k could be 1024, the length increase may be tolerable.
The success probability of a forger F attacking To is measured in the random oracle model, via experiment
Exp
ufcma
1S
F. Namely the experiment is the same experiment as in the FDHRSA case; only the scheme To we
plug in is now the one above. Accordingly we have the insecurity function associated to the scheme. Now we
can summarize the security property of the PSS0 scheme.
Theorem 10.20 Let To be the PSS0 scheme with security parameters k and s. Let F be an adversary making
q
sig
signing queries and q
hash
≥ 1 +q
sig
hash oracle queries. Then there exists an adversary I such that
Adv
ufcma
1S
F ≤ Adv
owkea
K
rsa
(I) +
(q
hash
−1) q
sig
2
s
, (10.3)
and the running time of I is that of F plus q
hash
O(k
3
).
Say q
hash
= 2
60
and q
sig
= 2
40
. With l = 160 the additive term above is about 2
−60
, which is very small. So
for all practical purposes the additive term can be neglected and the security of the PSS0 signature scheme is
tightly related to that of 1o/.
We proceed to the proof of Theorem 10.20. The design of I follows the same framework used in the proof of
Theorem 10.19. Namely I, on input N, e, y, will execute F on input N, e, and answer F’s oracle queries so that
F can complete its execution. From the forgery, I will somehow ﬁnd y
d
mod N. I will respond to hash oracle
queries of F via a subroutine HSim called the hash oracle simulator, and will respond to sign queries of F via a
subroutine oSim called the sign oracle simulator. A large part of the design is the design of these subroutines.
To get some intuition it is helpful to step back to the proof of Theorem 10.19.
We see that in that proof, the multiplicative factor of q
hash
in Equation (10.2) came from I’s guessing at random
a value i ∈ ¦1, . . . , q
hash
¦, and hoping that i = Find(Msg, M, q
hash
) where M is the message in the forgery. That
is, it must guess the time at which the message in the forgery is ﬁrst queried of the hash oracle. The best we
can say about the chance of getting this guess right is that it is at least 1/q
hash
. However if we now want
I’s probability of success to be as in Equation (10.3), we cannot aﬀord to guess the time at which the forgery
message is queried of the hash oracle. Yet, we certainly don’t know this time in advance. Somehow, I has to
be able to take advantage of the forgery to return y
d
mod N nonetheless.
A simple idea that comes to mind is to return y as the answer to all hash queries. Then certainly a forgery
on a queried message yields the desired value y
d
mod N. Consider this strategy for FDH. In that case, two
problems arise. First, these answers would then not be random and indpendent, as required for answers to hash
queries. Second, if a message in a hash query is later a sign query, I would have no way to answer the sign
query. (Remember that I computed its reply to hash query Msg[j] for j = i as (X[j])
e
mod N exactly in order
to be able to later return X[j] if Msg[j] showed up as a sign query. But there is a conﬂict here: I can either do
this, or return y, but not both. It has to choose, and in FDH case it chooses at random.)
The ﬁrst problem is actually easily settled by a small algebraic trick, exploiting what is called the selfreducibility
of RSA. When I wants to return y as an answer to a hash oracle query Msg[j], it picks a random X[j] in Z
∗
N
and returns Y [j] = y (X[j])
e
mod N. The value X[j] is chosen randomly and independently each time. Now
the fact that 1o/
N,e
is a permutation means that all the diﬀerent Y [j] values are randomly and independently
distributed. Furthermore, suppose (M, (r, x)) is a forgery for which hash oracle query rM has been made and
got the reponse Y [l] = y (X[l])
e
mod N. Then we have (x X[l]
−1
)
e
≡ y (mod N), and thus the inverse of y
is x X[l]
−1
mod N.
The second problem however, cannot be resolved for FDH. That is exactly why PSS0 prepends the random
value r to the message before hashing. This eﬀectively “separates” the two kinds of hash queries: the direct
queries of F to the hash oracle, and the indirect queries to the hash oracle arising from the sign oracle. The
direct hash oracle queries have the form rM for some lbit string r and some message M. The sign query is
just a message M. To answer it, a value r is ﬁrst chosen at random. But then the value rM has low probability
of having been a previous hash query. So at the time any new direct hash query is made, I can assume it will
never be an indirect hash query, and thus reply via the above trick.
Cryptography: Lecture Notes 199
Here now is the full proof.
Proof of Theorem 10.20: We ﬁrst decribe I in terms of two subroutines: a hash oracle simulator HSim()
and a sign oracle simulator oSim(). It takes input N, e, y where y ∈ Z
∗
N
, and maintains four tables, R, V , X
and Y , each an array with index in the range from 1 to q
hash
. All these are global variables which will be used
also be the subroutines. The intended meaning of the array entries is the following, for j = 1, . . . , q
hash
–
V [j] – The jth hash query in the experiment, having the form R[j]Msg[j]
R[j] – The ﬁrst lbits of V [j]
Y [j] – The value playing the role of H(V [j]), chosen either by the hash simulator or the
sign simulator
X[j] – If V [j] is a direct hash oracle query of F this satisﬁes Y [j]X[j]
−e
≡ y (mod N). If
V [j] is an indirect hash oracle query this satisﬁes X[j]
e
≡ Y [j] (mod N), meaning
it is a signature of Msg[j].
Note that we don’t actually need to store the array Msg; it is only referred to above in the explanation of terms.
We will make use of a subroutine Find that given an array A, a value v and index m, returns 0 if v ∈
¦A[1], . . . , A[m]¦, and else returns the smallest index l such that v = A[l].
Inverter I(N, e, y)
Initialize arrays R[1 . . . q
hash
], V [1 . . . q
hash
], X[1 . . . q
hash
], Y [1 . . . q
hash
], to empty
j ← 0
Run F on input N, e
If F makes oracle query (hash, v)
then h ← HSim(v) ; return h to F as the answer
If F makes oracle query (sign, M)
then σ ← oSim(M) ; return σ to F as the answer
Until F halts with output (M, (r, x))
y ← HSim(rM) ; l ← Find(V, rM, q
hash
)
w ← x X[l]
−1
mod N ; Return w
We now describe the hash oracle simulator. It makes reference to the global variables instantiated in in the
main code of I. It takes as argument a value v which is assumed to be at least s bits long, meaning of the form
rM for some s bit strong r. (There is no need to consider hash queries not of this form since they are not
relevant to the signature scheme.)
Subroutine HSim(v)
Parse v as rM where [r[ = s
l ← Find(V, v, j) ; j ← j + 1 ; R[j] ← r ; V [j] ← v
If l = 0 then
X[j]
$
← Z
∗
N
; Y [j] ← y (X[j])
e
mod N ; Return Y [j]
Else
X[j] ← X[l] ; Y [j] ← Y [l] ; Return Y [j]
EndIf
Every string v queried of the hash oracle is put by this routine into a table V , so that V [j] is the jth hash
oracle query in the execution of F. The following sign simulator does not invoke the hash simulator, but if
necessary ﬁlls in the necessary tables itself.
Subroutine oSim(M)
200 Goldwasser and Bellare
r
$
← ¦0, 1¦
s
l ← Find(R, r, j)
If l = 0 then abort
Else
j ← j + 1 ; R[j] ← r ; V [j] ← rM ; X[j]
$
← Z
∗
N
; Y [j] ← (X[j])
e
mod N
Return X[j]
EndIf
Now we need to establish Equation (10.3).
First consider Exp
owkea
K
rsa
(I) and let Pr
1
[] denote the probability function in this experiment. Let bad
1
be the
event that I aborts due to the “abort” instruction in the signoracle simulator.
Now consider Exp
ufcma
1S
F, and let Pr
2
[] denote the probability function in this experiment. Let bad
2
be the
event that the sign oracle picks a value r such that F had previously made a hash query rM for some M.
Let succ be the event (in either experiment) that F succeeds in forgery. Now we have
Adv
ufcma
1S
F = Pr
2
[succ]
= Pr
2
succ ∧ bad
2
+Pr
2
[succ ∧ bad
2
]
≤ Pr
2
succ ∧ bad
2
+Pr
2
[bad
2
]
= Pr
1
succ ∧ bad
1
+Pr
1
[bad
1
] (10.4)
= Adv
owkea
K
rsa
(I) +Pr
1
[bad
1
] (10.5)
≤ Adv
owkea
K
rsa
(I) +
(q
hash
−1)q
sig
2
s
. (10.6)
This establishes Equation (10.3). Let us now provide some explanations for the above.
First, Equation (10.6) is justiﬁed as follows. The event in question happens if the random value r chosen in the
sign oracle simulator is already present in the set ¦R[1], . . . , R[j]¦. This set has size at most q
hash
− 1 at the
time of a sign query, so the probability that r falls in it is at most (q
hash
−1)/2
s
. The sign oracle simulator is
invoked at most q
sig
times, so the bound follows.
It is tempting to think that the “view” of F at any time at which I has not aborted is the “same” as the view
of F in Experiment Exp
ufcma
1S
F. This is not true, because it can test whether or not bad occured. That’s why
we consider bad events in both games, and note that
Adv
owkea
K
rsa
(I) = Pr
1
succ ∧ bad
1
= Pr
2
succ ∧ bad
2
.
This is justiﬁed as follows. Remember that the last hash simulator query made by I is rM where M is
the message in the forgery, so rM is certainly in the array V at the end of the execution of I. So l =
Find(V, rM, q
hash
) = 0. We know that rM was not put in V by the sign simulator, because F is not allowed
to have made sign query M. This means the hash oracle simulator has been invoked on rM. This means that
Y [l] = y (X[l])
e
mod N because that is the way the hash oracle simulator chooses its replies. The correctness
of the forgery means that x
e
≡ H(rM) (mod N), and the role of the H value here is played by Y [l], so we
get x
e
≡ Y [l] ≡ y X[l] (mod N). Solving this gives (x X[l]
−1
)
e
mod N = y, and thus the inverter is correct
in returning x X[l]
−1
mod N.
It may be worth adding some words of caution about the above. It is tempting to think that
Adv
owkea
K
rsa
(I) ≥
¸
1 −
(q
hash
−1) q
sig
2
s
Adv
ufcma
1S
F ,
which would imply Equation (10.3) but is actually stronger. This however is not true, because the bad events
and success events as deﬁned above are not independent.
Cryptography: Lecture Notes 201
M
r
X
X
X
X
X
X
X
X
X
?
w
r
∗
g
2
(w) 0
g
1
(w)
?
⊕
?
h
g
1

6
g
2
Figure 10.1: PSS: Components of image y = 0wr
∗
g
2
(w) are darkened. The signature of M is y
d
mod N.
10.5.10 The Probabilistic Signature Scheme – PSS
PSS0 obtained improved security over FDHRSA but at the cost of an increase in signature size. The scheme
presented here reduces the signature size, so that it has both high security and the same signature size as
FDHRSA. This is the probabilistic signature scheme (PSS) of [26].
Signature scheme PSS[k
0
, k
1
] = (/
rsa
, SignPSS, VerifyPSS) is parameterized by k
0
and k
1
, which are numbers
between 1 and k satisfying k
0
+k
1
≤ k −1. To be concrete, the reader may like to imagine k = 1024, k
0
= k
1
=
128. Algorithm /
rsa
is an RSA key generation algorithm as deﬁned in Section 10.5.3. The signing and verifying
algorithms make use of two hash functions. The ﬁrst, h, called the compressor, maps as h: ¦0, 1¦
∗
→ ¦0, 1¦
k1
and the second, g, called the generator, maps as g: ¦0, 1¦
k
1
→ ¦0, 1¦
k−k
1
−1
. (The analysis assumes these to be
ideal. In practice they can be implemented in simple ways out of cryptographic hash functions like MD5, as
discussed in Appendix 10.5.12.) Let g
1
be the function which on input w ∈ ¦0, 1¦
k
1
returns the ﬁrst k
0
bits of
g(w), and let g
2
be the function which on input w ∈ ¦0, 1¦
k1
returns the remaining k −k
0
−k
1
−1 bits of g(w).
We now describe how to sign and verify. Refer to Figure 10.1 for a picture. We write the signing and verifying
algorithms as follows:
Algorithm SignPSS
g,h
N,d
(M)
r
$
← ¦0, 1¦
k0
; w ← h(Mr)
r
∗
← g
1
(w)⊕r
y ← 0wr
∗
g
2
(w)
x ← y
d
mod N
Return x
Algorithm VerifyPSS
g,h
N,e
(M, x)
y ← x
e
mod N
Parse y as bwr
∗
γ where
[b[ = 1, [w[ = k
1
, [r
∗
[ = k
0
r ← r
∗
⊕g
1
(w)
If ( h(Mr) = w and g
2
(w) = γ and b = 0 )
Then return 1 else return 0
Obvious “range checks” are for simplicity not written explicitly in the veriﬁcation code; for example in a real
implementation the latter should check that 1 ≤ x < N and gcd(x, N) = 1.
The step r
$
← ¦0, 1¦
k
0
indicates that the signer picks at random a seed r of k
0
bits. He then concatenates this
seed to the message M, eﬀectively “randomizing” the message, and hashes this down, via the “compressing”
function, to a k
1
bit string w. Then the generator g is applied to w to yield a k
0
bit string r
∗
= g
1
(w) and a
k −k
0
−k
1
−1 bit string g
2
(w). The ﬁrst is used to “mask” the k
0
bit seed r, resulting in the masked seed r
∗
.
Now wr
∗
is prepended with a 0 bit and appended with g
2
(w) to create the image point y which is decrypted
under the RSA function to deﬁne the signature. (The 0bit is to guarantee that y is in Z
∗
N
.)
Notice that a new seed is chosen for each message. In particular, a given message has many possible signatures,
depending on the value of r chosen by the signer.
Given (M, x), the veriﬁer ﬁrst computes y = x
e
mod N and recovers r
∗
, w, r. These are used to check that y
was correctly constructed, and the veriﬁer only accepts if all the checks succeed.
Note the eﬃciency of the scheme is as claimed. Signing takes one application of h, one application of g, and one
RSA decryption, while veriﬁcation takes one application of h, one application of g, and one RSA encryption.
The following theorem proves the security of the PSS based on the onewayness of RSA. The relation between
202 Goldwasser and Bellare
M
r
X
X
X
X
X
X
X
X
X
?
w
r
∗
M
∗
0
g
1
(w)
?
⊕
?
h
g
1

?
6
g
2
g
2
(w)

⊕
6
Figure 10.2: PSSR: Components of image y = 0wr
∗
M
∗
are darkened.
the two securities is pretty much the same as that for PSS0 that we saw in Theorem 10.20, meaning essentially
tight, and much tighter than the one we saw for the FDH scheme. This time however it was achieved without
increase in signature size.
Theorem 10.21 [26] Let To be the PSS scheme with security parameters k
0
and k
1
. Let F be an adversary
making q
sig
signing queries and q
hash
≥ 1 +q
sig
hash oracle queries. Then there exists an adversary I such that
Adv
ufcma
1S
F ≤ Adv
owkea
K
rsa
(I) + [3(q
hash
−1)
2
] (2
−k
0
+ 2
−k
1
) ,
and the running time of I is that of F plus q
hash
k
0
O(k
3
).
The proof is in [26]. It extends the proof of Theorem 10.20 given above.
10.5.11 Signing with Message Recovery – PSSR
Message recovery. In a standard signature scheme the signer transmits the message M in the clear, at
taching to it the signature x. In a scheme which provides message recovery, only an “enhanced signature” τ is
transmitted. The goal is to save on the bandwidth for a signed message: we want the length of this enhanced
signature to be smaller than [M[ +[x[. (In particular, when M is short, we would like the length of τ to be k,
the signature length.) The veriﬁer recovers the message M from the enhanced signature and checks authenticity
at the same time.
We accomplish this by “folding” part of the message into the signature in such a way that it is “recoverable”
by the veriﬁer. When the length n of M is small, we can in fact fold the entire message into the signature, so
that only a k bit quantity is transmitted. In the scheme below, if the security parameter is k = 1024, we can
fold up to 767 message bits into the signature.
Definition. Formally, the key generation and signing algorithms are as before, but 1 is replaced by Recover,
which takes pk and x and returns Recover
pk
(x) ∈ ¦0, 1¦
∗
∪¦REJECT¦. The distinguished point REJECT is used
to indicate that the recipient rejected the signature; a return value of M ∈ ¦0, 1¦
∗
indicates that the veriﬁer
accepts the message M as authentic. The formulation of security is the same except for what it means for the
forger to be successful : it should provide an x such that Recover
pk
(x) = M ∈ ¦0, 1¦
∗
, where M was not a
previous signing query. We demand that if x is produced via x ← o
sk
(M) then Recover
pk
(x) = M.
A simple variant of PSS achieves message recovery. We now describe that scheme and its security.
The scheme. The scheme PSSR[k
0
, k
1
] = (/, SignPSSR, RecPSSR) is parameterized by k
0
and k
1
, as before.
The key generation algorithm is /
rsa
, the same as before. As with PSS, the signing and verifying algorithms
depend on hash functions h: ¦0, 1¦
∗
→ ¦0, 1¦
k1
and g: ¦0, 1¦
k1
→ ¦0, 1¦
k−k1−1
, and we use the same g
1
and g
2
Cryptography: Lecture Notes 203
notation. For simplicity of explication, we assume that the messages to be signed have length n = k−k
0
−k
1
−1.
(Suggested choices of parameters are k = 1024, k
0
= k
1
= 128 and n = 767.) In this case, we produce
“enhanced signatures” of only k bits from which the veriﬁer can recover the nbit message and simultaneously
check authenticity. Signature generation and veriﬁcation proceed as follows. Refer to Figure 10.2 for a picture.
Algorithm SignPSSR
g,h
N,d
(M)
r
$
← ¦0, 1¦
k
0
; w ← h(Mr)
r
∗
← g
1
(w)⊕r
M
∗
← g
2
(w)⊕M
y ← 0wr
∗
M
∗
x ← y
d
mod N
Return x
Algorithm RecPSSR
g,h
N,e
(x)
y ← x
e
mod N
Parse y as bwr
∗
M
∗
where
[b[ = 1, [w[ = k
1
, [r
∗
[ = k
0
r ← r
∗
⊕g
1
(w)
M ← M
∗
⊕g
2
(w)
If ( h(Mr) = w and b = 0 )
Then return M else return REJECT
The diﬀerence in SignPSSR with respect to SignPSS is that the last part of y is not g
2
(w). Instead, g
2
(w) is
used to “mask” the message, and the masked message M
∗
is the last part of the image point y.
The above is easily adapted to handle messages of arbitrary length. A fullyspeciﬁed scheme would use about
min¦k, n +k
0
+k
1
+ 16¦ bits.
Security. The security of PSSR is the same as for PSS.
Theorem 10.22 [26] Let To be the PSS with recovery scheme with security parameters k
0
and k
1
. Let F be
an adversary making q
sig
signing queries and q
hash
≥ 1+q
sig
hash oracle queries. Then there exists an adversary
I such that
Adv
ufcma
1S
F ≤ Adv
owkea
K
rsa
(I) + [3(q
hash
−1)
2
] (2
−k
0
+ 2
−k
1
) , (10.7)
and the running time of I is that of F plus q
hash
O(k
3
).
The proof of this theorem is very similar to that of Theorem 10.21.
10.5.12 How to implement the hash functions
In the PSS we need a concrete hash function h with output length some given number k
1
. Typically we will
construct h from some cryptographic hash function H such as H = MD5 or H = SHA1. Ways to do this
have been discussed before in [15, 25]. For completeness we quickly summarize some of these possibilities. The
simplest is to deﬁne h(x) as the appropriatelength preﬁx of
H(const.'0`.x)H(const.'1`.x)H(const.'2`.x) .
The constant const should be unique to h; to make another hash function, g, simply select a diﬀerent constant.
10.5.13 Comparison with other schemes
We have already discussed the PKCS standards [179, 180] and the ISO standard [1] and seen that their security
cannot be justiﬁed based on the assumption that RSA is trapdoor oneway. Other standards, such as [9], are
similar to [179], and the same statement applies.
The schemes we discuss in the remainder of this section do not use the hashthendecrypt paradigm.
Signature schemes whose security can be provably based on the RSA assumption include [105, 14, 152, 177, 78].
The major plus of these works is that they do not use an ideal hash function (random oracle) model— the
provable security is in the standard sense. On the other hand, the security reductions are quite loose for each
of those schemes. On the eﬃciency front, the eﬃciency of the schemes of [105, 14, 152, 177] is too poor to
204 Goldwasser and Bellare
seriously consider them for practice. The DworkNaor scheme [78], on the other hand, is computationally quite
eﬃcient, taking two to six RSA computations, although there is some storage overhead and the signatures are
longer than a single RSA modulus. This scheme is the best current choice if one is willing to allow some extra
computation and storage, and one wants welljustiﬁed security without assuming an ideal hash function.
Back among signature schemes which assume an ideal hash, a great many have been proposed, based on the
hardness of factoring or other assumptions. Most of these schemes are derived from identiﬁcation schemes, as
was ﬁrst done by [83]. Some of these methods are provable (in the ideal hash model), some not. In some of the
proven schemes exact security is analyzed; usually it is not. In no case that we know of is the security tight.
The eﬃciency varies. The computational requirements are often lower than a hashthendecrypt RSA signature,
although key sizes are typically larger.
Finally we note related new work. Pointcheval and Stern [165] consider the provable security of signatures in
the random oracle model and show that a modiﬁed version of the El Gamal scheme [90], as well as the Schnorr
[184] scheme, can be proven secure. (And the scheme of [83] can be proven secure against attacks in which there
are no signature queries.) But they don’t consider exact security. An interesting question is to consider, and
possibly improve, the exact security of their reductions (making, if necessary, modiﬁcations to the schemes).
More recently, some quite simple RSA based signature schemes have appeared that have a proof of security
based on a stronger and less standard assumption about RSA, but which do not rely on random oracles [92, 65].
10.6 Threshold Signature Schemes
Using a threshold signature scheme, digital signatures can be produced by a group of players rather than by
one party. In contrast to the regular signature schemes where the signer is a single entity which holds the secret
key, in threshold signature schemes the secret key is shared by a group of n players. In order to produce a valid
signature on a given message m, individual players produce their partial signatures on that message, and then
combine them into a full signature on m. A distributed signature scheme achieves threshold t < n, if no coalition
of t (or less) players can produce a new valid signature, even after the system has produced many signatures on
diﬀerent messages. A signature resulting from a threshold signature scheme is the same as if it was produced
by a single signer possessing the full secret signature key. In particular, the validity of this signature can be
veriﬁed by anyone who has the corresponding unique public veriﬁcation key. In other words, the fact that the
signature was produced in a distributed fashion is transparent to the recipient of the signature.
Threshold signatures are motivated both by the need that arises in some organizations to have a group of
employees agree on a given message (or a document) before signing it, as well as by the need to protect signature
keys from the attack of internal and external adversaries. The latter becomes increasingly important with the
actual deployment of public key systems in practice. The signing power of some entities, (e.g., a government
agency, a bank, a certiﬁcation authority) inevitably invites attackers to try and “steal” this power. The goal of
a threshold signature scheme is twofold: To increase the availability of the signing agency, and at the same time
to increase the protection against forgery by making it harder for the adversary to learn the secret signature
key. Notice that in particular, the threshold approach rules out the naive solution based on traditional secret
sharing (see Chapter 12), where the secret key is shared in a group but reconstructed by a single player each
time that a signature is to be produced. Such protocol would contradict the requirement that no t (or less)
players can ever produce a new valid signature. In threshold schemes, multiple signatures are produced without
an exposure or an explicit reconstruction of the secret key.
Threshold signatures are part of a general approach known as threshold cryptography. This approach has
received considerable attention in the literature; we refer the reader to [70] for a survey of the work in this area.
Particular examples of solutions to threshold signatures schemes can be found in [69, 183] for RSA and in [109]
for ElGamaltype of signatures.
A threshold signature scheme is called robust if not only t or less players cannot produce a valid signature, but
also cannot prevent the remaining players from computing a signature on their own. A robust scheme basically
foils possible denial of service attacks on the part of corrupted servers. The solutions mentined above are not
robust. In this chapter we will concentrate on robust schemes. We will not go into technical details. The goal
of this section is to present the reader with the relevant notions and point to the sources in the literature.
Cryptography: Lecture Notes 205
In the following we will refer to the signing servers with the letters P
1
, . . . , P
n
.
10.6.1 Key Generation for a Threshold Scheme
The task of generating a key for a threshold signature scheme is more complicated than when we are in the
presence of a single signer. Indeed we must generate a public key PK whose matching secret key SK is shared
in some form among the servers P
1
, . . . , P
n
.
A way of doing this is to have some trusted dealer who generates a key pair (PK, SK) for the given signature
scheme, makes PK public and shares SK among the P
i
’s using a secret sharing protocol (see Chapter 12.)
However notice that such a key generation mechanisms contradicts the requirement that no single entity should
be able to sign, as now the dealer knows the secret key SK and he is able to sign on his own. This is why people
have been trying to avoid the use of such a dealer during the key generation phase.
For the case of discretelog based signature schemes, this quest has been successful. Robust threshold signature
schemes for the El Gamal, Schnorr and DSS signature schemes (see [90, 184, 85]) can be found in [53, 159, 94],
all using underlying results of Feldman and Pedersen [82, 160, 161].
Yet, in some cases the dealer solution is the best we can do. For example, if the underlying signature scheme is
RSA, then we do not know how to generate a key in a shared form without the use of a dealer.
10.6.2 The Signature Protocol
Once the key is generated and in some way shared among the servers P
1
, . . . , P
n
we need a signature protocol.
The idea is that on input a message M, the servers will engage in some form of communication that will allow
them to compute a signature σ for M, without revealing the secret key. Such protocol should not leak any
information beyond such signature σ. Also in order to obtain the robustness property, such protocols should
correctly compute the signature even if up to t servers P
i
’s are corrupted and behave in any way during the
protocol. If possible the computation required by a server P
i
to sign in this distributed manner should be
comparable to the eﬀort required if P
i
were signing on his own. Interaction should be reduced to a minimum
For El Gamallike schemes robust threshold signature schemes can be found in [53, 159]. The speciﬁc case of
DSS turned out to be very diﬃcult to handle. The best solution is in [94].
RSA turned out to be even less amenable to the construction of robust schemes. A somewhat ineﬃcient solution
(requires much more computation and a lot of interaction between servers) can be found in [86]. A very eﬃcient
and noninteractive solution was independently proposed in [93].
C h a p t e r 11
Key distribution
We have looked extensively at encryption and data authentication and seen lots of ways to design schemes for
these tasks. We must now address one of the assumptions underlying these schemes. This is the assumption
that the parties have available certain kinds of keys.
This chapter examines various methods for key distribution and key management. A good deal of our eﬀort will
be expended in understanding the most important practical problem in the area, namely session key distribution.
Let us begin with the classic secret key exchange protocol of Diﬃe and Hellman.
11.1 Diﬃe Hellman secret key exchange
Suppose Alice and Bob have no keys (shared or public), and want to come up with a joint key which they would
use for private key cryptography. The DiﬃeHellman (DH) secret key exchange (SKE) protocol [72] enables
them to do just this.
11.1.1 The protocol
We ﬁx a prime p and a generator g ∈ Z
∗
p
. These are public, and known not only to all parties but also to the
adversary E.
A picks x ∈ Z
p−1
at random and lets X = g
x
mod p. She sends X to B
B picks y ∈ Z
p−1
at random and lets Y = g
y
mod p. He sends Y to A.
Now notice that
X
y
= (g
x
)
y
= g
xy
= (g
y
)
x
= Y
x
,
the operations being in the group Z
∗
p
. Let’s call this common quantity K. The crucial fact is that both parties
can compute it! Namely A computes Y
x
, which is K, and B computes X
y
, which is also K, and now they have
a shared key.
11.1.2 Security against eavesdropping: The DH problem
Is this secure? Consider an adversary that is sitting on the wire and sees the ﬂows that go by. She wants to
compute K. What she sees is X and Y . But she knows neither x nor y. How could she get K? The natural
attack is to ﬁnd either x or y (either will do!) from which she can easily compute K. However, notice that
206
Cryptography: Lecture Notes 207
computing x given X is just the discrete logarithm problem in Z
∗
p
, which is widely believed to be intractable
(for suitable choices of the prime p). Similarly for computing y from Y . Accordingly, we would be justiﬁed in
having some conﬁdence that this attack would fail.
A number of issues now arise. The ﬁrst is that computing discrete logarithms is not the only possible attack to
try to recover K from X, Y . Perhaps there are others. To examine this issue, let us formulate the computational
problem the adversary is trying to solve. It is the following:
The DH Problem: Given g
x
and g
y
for x, y chosen at random from Z
p−1
, compute g
xy
.
Thus the question is how hard is this problem? We saw that if the discrete logarithm problem in Z
∗
p
is easy
then so is the DH problem; ie. if we can compute discrete logs we can solve the DH problem. Is the converse
true? That is, if we can solve the DH problem, can we compute discrete logarithms? This remains an open
question. To date it seems possible that there is some clever approach to solving the DH problem without
computing discrete logarithms. However, no such approach has been found. The best known algorithm for the
DH problem is to compute the discrete logarithm of either X or Y . This has lead cryptographers to believe that
the DH problem, although not known to be equivalent to the discrete logarithm one, is still a computationally
hard problem, and that as a result the DH secret key exchange is secure in the sense that a computationally
bounded adversary can’t compute the key K shared by the parties.
The DH Assumption: The DH problem is computationally intractable.
These days the size of the prime p is recommended to be at least 512 bits and preferably 1024. As we have
already seen, in order to make sure the discrete logarithm problem modulo p is intractable, p − 1 should have
at least one large factor. In practice we often take p = 2q + 1 for some large prime q.
The relationship between the DH problem and the discrete logarithm problem is the subject of much investiga
tion. See for example Maurer [141].
11.1.3 The DH cryptosystem
The DH secret key exchange gives rise to a very convenient public key cryptosystem. A party A will choose as
its secret key a random point x ∈ Z
p−1
, and let X = g
x
be its public key. Now if party B wants to privately
send A a message M, it would proceed as follows.
First, the parties agree on a private key cryptosystem (c, T) (cf. Chapter 6). For concreteness assume it is a
DES based cryptosystem, so that it needs a 56 bit key. Now B picks y at random from Z
p−1
and computes
the DH key K = X
y
= g
xy
. From this, he extracts a 56 bit key a for the private key cryptosystem according
to some ﬁxed convention, for example by letting a be the ﬁrst 56 bits of K. He now encrypts the plaintext M
under a using the private key cryptosystem to get the ciphertext C = c
a
(M), and transmits the pair (Y, C)
where Y = g
y
.
A receives (Y, C). Using her secret key x she can compute the DH key K = Y
x
= g
xy
, and thus recover a. Now
she can decrypt the ciphertext C according to the private key cryptosystem, via M = T
a
(C), and thus recover
the plaintext M.
Intuitively, the security would lie in the fact that the adversary is unable to compute K and hence a. This,
however, is not quite right, and brings us to the issue of the bit security of the DH key.
11.1.4 Bit security of the DH key
Above the ﬁrst 56 bits of the key K = g
xy
is used as the key to a private key cryptosystem. What we know (are
willing to assume) is that given g
x
, g
y
the adversary cannot recover K. This is not enough to make the usage
of K as the key to the private key cryptosystem secure. What if the adversary were able to recover the ﬁrst 56
bits of K, but not all of K? Then certainly the above cryptosystem would be insecure. Yet, having the ﬁrst 56
bits of K may not enable one to ﬁnd K, so that we have not contradicted the DH assumption.
208 Goldwasser and Bellare
This is an issue we have seen before in many contexts, for example with oneway functions and with encryption.
It is the problem of partial information. If f is oneway it means given f(x) I can’t ﬁnd x; it doesn’t mean I
can’t ﬁnd some bits of x. Similarly, here, that we can’t compute K doesn’t mean we can’t compute some bits
of K.
Indeed, it turns out that computing the last bit (ie. LSB) of K = g
xy
given g
x
, g
y
is easy. To date there do
not seem to be other detectable losses of partial information. Nonetheless it would be unwise to just use some
subset of bits of the DH key as the key to a private key cryptosystem. Assuming that these bits are secure is a
much stronger assumption than the DH assumption.
So what could we do? In practice, we might hash the DH key K to get a symmetric key a. For example,
applying a cryptographic hash function like SHA1 to K yields 160 bits that might have better “randomness”
properties than the DH key. Now use the ﬁrst 56 bits of this if you need a DES key.
However, while the above may be a good heuristic in practice, it can’t be validated without very strong assump
tions on the randomness properties of the hash function. One possibility that can be validated is to extract
hard bits from the DH key via an analogue of Theorem 2.49. Namely, let r be a random string of length [p[ and
let b be the dot product of K and r. Then predicting b given g
x
, g
y
is infeasible if computing K = g
xy
given
g
x
, g
y
is infeasible. The drawback of this approach is that one gets very few bits. To get 56 bits one would need
to exchange several DH keys and get a few bits from each.
We saw in Chapter 2 that for certain one way functions we can present hardcore predicates, the prediction of
which can be reduced to the problem of inverting the function itself. A theorem like that for the DH key would
be nice, and would indicate how to extract bits to use for a symmetric key. Recently results of this kind have
been proved by Boneh and Venkatesan [46].
11.1.5 The lack of authenticity
At ﬁrst glance, the DH secret key exchange might appear to solve in one stroke the entire problem of getting
keys to do cryptography. If A wants to share a key with B, they can just do a DH key exchange to get one,
and then use private key cryptography.
Don’t do it. The problem is authenticity. The security of the DH key is against a passive adversary, or
eavesdropper. It is assumed that the adversary will recover the transmitted data but not try to inject data on
the line. In practice, of course, this is an untenable assumption. It is quite easy to inject messages on networks,
and hackers can mount active attacks.
What damage can this do? Here is what the adversary does. She calls up B and simply plays the role of A.
That is, she claims to be A, who is someone with whom B would like to share a key, and then executes the
DH protocol like A would. Namely she picks x at random and sends X = g
x
to B. B returns Y = g
y
and
now B and the adversary share the key K = g
xy
. But B thinks the key is shared with A. He might encrypt
conﬁdential data using K, and then the adversary would recover this data.
Thus in the realistic model of an active adversary, the DH key exchange is of no direct use. The real problem
is to exchange a key in an authenticated manner. It is this that we now turn to.
However, we remark that while the DH key exchange is not a solution, by itself, to the key distribution problem
in the presence of an active adversary, it is a useful tool. We will see how to use it in conjunction with other
tools we will develop to add to session key distribution protocols nice features like “forward secrecy.”
11.2 Session key distribution
Assume now we are in the presence of an active adversary. The adversary can inject messages on the line and
alter messages sent by legitimate parties, in addition to eavesdropping on their communications. We want to
get shared keys.
A little thought will make it clear that if the legitimate parties have no information the adversary does not
know, it will not be possible for them to exchange a key the adversary does not know. This is because the
Cryptography: Lecture Notes 209
adversary can just impersonate one party to another, like in the attack on DH above. Thus, in order to get oﬀ
the ground, the legitimate parties need an “information advantage.” This is some information, predistributed
over a trusted channel, which the adversary does not know, and which enables them to securely exchange keys
in the future.
We now discuss various ways to realize this information advantage, and the session key distribution problems
to which they give rise. Then we explain the problem in more depth. We largely follow [16, 17].
11.2.1 Trust models and key distribution problems
What forms might the information advantage take? There are various diﬀerent trust models and corresponding
key distribution problems.
The three party model
This model seems to have been ﬁrst mentioned by Needham and Schroeder [154]. It has since been popularized
largely by the Kerberos system [199].
In this model there is a trusted party called the authentication server, and denoted S. Each party A in the
system has a key K
A
which it shares with the server. This is a private key between these two parties, not known
to any other party. When two parties A, B, sharing, respectively, keys K
A
and K
B
with S, want to engage in
a communication session, a three party protocol will be executed, involving A, B and S. The result will be to
issue a common key K to A and B. They can then use this key to encrypt or authenticate the data they send
each other.
The distributed key is supposed to be a secure session key. When the parties have completed their communication
session, they will discard the key K. If later they should desire another communication session, the three party
protocol will be reexecuted to get a new, fresh session key.
What kinds of security properties should this distributed session key have? We will look at this question in
depth later. It is an important issue, since, as we will see, session key distribution protocols must resist a variety
of novel attacks.
The two party asymmetric model
When public key cryptography can be used, the authentication server’s active role can be eliminated. In this
trust model, the assumption is that A has the public key pk
B
of B, and B has the public key pk
A
of A. These
keys are assumed authentic. That is, A is assured the key he holds is really the public key of B and not someone
else, and analogously for B.
1
Now, suppose A and B want to engage in a secure communication session. The problem we want to consider is
how they can get a shared, private and authentic session key based on the public keys, via a two party protocol.
Questions pertaining to what exactly is the problem, and why, may arise here. We already know that we
can authenticate and encrypt data with public keys. That is, the parties already have the means to secure
communication. So why do they need a shared session key?
There are several reasons. One is that private key cryptography, at least under current technology, is considerable
more eﬃcient than public key cryptography. The second, however, probably more important, is that it is
convenient to have session keys. They allow one to associate a key uniquely to a session. This is an advantage
for the following reasons.
Keys actually used to encrypt or authenticate data get greater exposure. They are used by applications in ways
that may not be known, or controllable, beforehand. In particular, an application might misuse a key, or expose
1
How is this situation arrived at? That isn’t a problem we really want to discuss yet: it falls under the issue of key management
and will be discussed later. But, brieﬂy, what we will have is trusted servers which provide public, certiﬁed directories of users and
their public keys. The server maintains for each user identity a public key, and provides this upon request to any other user, with a
signature of the server that serves as a certiﬁcate of authenticity. Barring this directory service, however, the server plays no active
role.
210 Goldwasser and Bellare
it. This might (or might not) compromise the current session, but we would not like it to compromise the long
lived secret key and thus other uses and sessions. Similarly, the long lived secret key of a user A (namely the
secret key sk
A
corresponding to her public key pk
A
) may be stored in protected hardware and accessed only
via a special interface, while the session key lies on a more exposed machine.
The two party symmetric model
Probably the simplest model is of two parties who already share a long lived key. Each time they wish to engage
in a communication session they will run a protocol to derive a session key.
Again, the motivation is the convenience and security advantages of session keys. We stress the main one. A
host of applications might be run by the users, all wanting keys for one reason or another. We don’t want to
make assumptions about how they use the key. Some might use it in ways that are secure for their own purposes
but compromise the key globally. In order for this not to aﬀect the global security, we assign each run of each
application a separate session key.
11.2.2 History of session key distribution
Although session key distribution is an old problem, it is only recently that a cryptographically sound treatment
of it, in the “provable security” or “reductionist” tradition that these lecture notes are describing, has emerged
[16, 17]. Via this approach we now have models in which to discuss and prove correct protocols, and several
protocols proven secure under standard cryptographic assumptions.
The history prior to this was troubled. Session key distribution is an area in which a large number of papers are
published, proposing protocols to solve the problem. However, many of them are later broken, or suﬀer from
discernible design ﬂaws.
The problem is deceptively simple. It is easy to propose protocols in which subtle security problems later
emerge.
In the three party case, Needham and Schroeder [154] describe a number of candidate protocols. They had
prophetically ended their paper with a warning on this approach, saying that “protocols such as those developed
here are prone to extremely subtle errors that are unlikely to be detected in normal operations. The need
for techniques to verify the correctness of such protocols is great . . .”. Evidence of the authors’ claim came
unexpectedly when a bug was pointed out in their own “Protocol 1” (Denning and Sacco, [68]).
2
Many related
protocols were eventually to suﬀer the same fate.
As a result of a long history of such attacks there is ﬁnally a general consensus that session key distribution is
not a goal adequately addressed by giving a protocol for which the authors can ﬁnd no attacks.
A large body of work, beginning with Burrows, Abadi and Needham [49], aims to improve on this situation via
the use of specialpurpose logics. The aim is to demonstrate a lack of “reasoning problems” in a protocol being
analyzed. The technique has helped to ﬁnd errors in various protocols, but a proof that a protocol is “logically
correct” does not imply that it is is right (once its abstract cryptographic operations are instantiated). Indeed
it is easy to come up with concrete protocols which are logically correct but blatantly insecure.
Examining the work on the session key distribution problem, one ﬁnds that the bulk of it is divorced from basic
cryptographic principles. For example one ﬁnd over and over again a confusion between data encryption and
data authentication. The most prevalent problem is a lack of speciﬁcation of what exactly is the problem that
one is trying to solve. There is no model of adversarial capabilities, or deﬁnition of security.
Inﬂuential works in this area were Bird et. al. [35] and Diﬃe et. al. [73]. In particular the former pointed to new
classes of attacks, called “interleaving attacks,” which they used to break existing protocols, and they suggested
a protocol (2PP) defeated by none of the interleaving attacks they considered. Building on this, Bellare and
Rogaway provide a model and a deﬁnition of security for two party symmetric session key distribution [16]
and for three party session key distribution [17], just like we have for primitives like encryption and signatures.
2
Insofar as there were no formal statements of what this protocol was supposed to do, it is not entirely fair to call it buggy;
but the authors themselves regarded the protocol as having a problem worthy of ﬁxing [155].
Cryptography: Lecture Notes 211
Based on this they derive protocols whose security can be proven based on standard cryptographic assumptions.
It turns out the protocols are eﬃcient too.
Now other well justiﬁed protocols are also emerging. For example, the SKEME protocol of Krawczyk [126] is an
elegant and multipurpose two party session key distribution protocol directed at fulﬁlling the key distribution
needs of Internet security protocols. Even more recently, a provensecure protocol for session key distribution
in smart cards was developed by Shoup and Rubin [195].
11.2.3 An informal description of the problem
We normally think of a party in a protocol as being devoted to that protocol alone; it is not doing doing other
things alongside. The main element of novelty in session key distribution is that parties may simultaneously
maintain multiple sessions. A party has multiple instances. It is these instances that are the logical endpoints
of a session, not the party itself.
We let ¦P
1
, . . . , P
N
¦ denote the parties in the distributed system. As discussed above, a given pair of play
ers, P
i
and P
j
may simultaneously maintain multiple sessions (each with its own session key). Thus it is not
really P
i
and P
j
which form the logical endpoints of a secure session; instead, it is an instance Π
s
i,j
of P
i
and
an instance Π
t
j,i
of P
j
. We emphasize instances as a central aspect of the session key distribution problem, and
one of the things that makes session key distribution diﬀerent from many other problems.
It is the goal of a sessionkey distribution protocol to provide Π
s
i,j
and Π
t
j,i
with a session key σ
s,t
i,j
to protect
their session. Instances Π
s
i,j
and Π
t
j,i
must come up with this key without knowledge of s, t, or whatever other
instances may currently exist in the distributed system.
An active adversary attacks the network. She controls all the communication among the players: she can deliver
messages out of order and to unintended recipients, concoct messages entirely of her own choosing, and start
up entirely new instances of players. Furthermore, she can mount various attacks on session keys which we will
discuss.
11.2.4 Issues in security
Ultimately, what we want to say is that the adversary cannot compromise a session key exchanged between a
pair of instances of the legitimate parties. We must worry about two (related) issues: authentication, and key
secrecy. The ﬁrst means, roughly, that when an instance of i accepts B then it must have been “talking to” an
instance of j. The second, roughly, means that if Π
s
i,j
and Π
t
j,i
share a session key then this key must be secure.
It is an important requirement on session keys that the key of one session be independent of another. This is
because we cannot make assumptions about how a session key will be used in an application. It might end up
exposing it, and we want this not to compromise other session keys. We model this in a worst case way by
allowing the adversary to expose session keys at will. Then we will say that a key shared between partners who
are unexposed must remain secure even if keys of other sessions are exposed.
One of the most important issues is what is meant by security of the key. The way it has traditionally been
viewed is that the key is secure if the adversary cannot compute it. We have by now, however, seen time
and again, in a variety of settings, that this is not the right notion of secrecy. We must also prevent partial
information from leaking. (Examples of why this is important for session keys are easy to ﬁnd, analogous to the
many examples we have seen previously illustrating this issue.) Accordingly, the deﬁnitions ask that a session
key be unpredictable in the sense of a probabilistically encrypted message.
We note that insuﬃcient protection of the session key is a ﬂaw that is present in all session key distribution
protocols of which we are aware barring those of [16, 17]. In fact, this insecurity is often built in by a desire to
have a property that is called “key conﬁrmation.” In order to “conﬁrm” that it has received the session key,
one party might encrypt a ﬁxed message with it, and its ability to do so correctly is read by the other party
as evidence that it has the right session key. But this reveals partial information about the key. It might seem
unimportant, but one can ﬁnd examples of usages of the session key which are rendered insecure by this kind
of key conﬁrmation. In fact “key conﬁrmation,” if needed at all, can be achieved in other ways.
212 Goldwasser and Bellare
11.2.5 Entity authentication versus key distribution
The goal of the key distributions we are considering is for the parties to simultaneously authenticate one another
and come into possession of a secure, shared session key. There are several ways one might interpret the notion
of authentication.
The literature has considered two ways. The ﬁrst is authentication in a very strong sense, considered in [16] for
the two party case. This has been relaxed to a weaker notion in [17], considered for the three party case. The
weaker notion for the two party case is still under research and development.
Which to prefer depends on the setting. The approach we will follow here is to follow the existing literature.
Namely we will consider the stronger notion for the two party setting, and the weaker one for the three party
setting. It may perhaps be more correct to use the weaker notion throughout, and in a future version of these
notes we would hope to do so; the situation at present is simply that the formalizations of the weaker notion
for the two party case have not yet appeared.
11.3 Three party session key distribution
NeedhamSchroeder 78 Protocol
Use the following notation:
¦ X¦
K
= Encryption of X under key K.
N
i
= Nonce chosen by i.
Distribution Phase:
A → S: A, B, N
A
S → A: ¦ N
A
, B, α, ¦ α, A¦
b
¦
a
A → B: ¦ α, A¦
b
Freshness / Replay check:
B → A: ¦ N
B
¦
α
A → B: ¦ N
B
−1 ¦
α
The distributed session key is α.
DenningSacco 81 – If a session key α is revealed to adversary E after the session is over then later, a compro
mised session can be created. E has a record of the full conversation—
A → S: A, B, N
A
S → A: {N
A
, B, α, {α, A}
b
}
a
A → B: {α, A}
b
B → A: {NB}α
A → B: {NB −1}α
Now α is leaked. So E does the following—
E → B: ¦α, A¦
b
B → A` E[: ] ¦ N
t
B
¦
α
E → B: ¦ N
t
B
−1 ¦
α
Now B might encrypt a message under α and send it to A. But E can read it!
This has become known as a known key attack.
Why is this a problem?
Cryptography: Lecture Notes 213
The reason is that one user on one machine can run a host of diﬀerent applications, all wanting security. Each
takes as input a key and uses it as it wishes. View an application as a box, getting a key. But these applications
use the keys in diﬀerent ways, with diﬀerent alogirthms. Each uses it appropriately for its purposes, but that
purpose may compromise the key for other purposes.
For example, Application 1 uses the key in the beginning as a one time pad, sending α⊕M for some M. Later,
however, M is revealed. Hence, so is α. But we don’t want this to compromise other sessions. If α is a session
key, no problem. But if it is the long lived key, we are lost.
Similarly, Application 2 uses its key α only for authentication. At the end, for some reason, it reveals the key.
This doesn’t hurt the application. But it dooms the key for later use.
Thus, the user must be able to allocate keys to diﬀerent applications in such a way that keys of one application
are independent of another. If one is revealed, others are not compromised.
For example how about giving f
K
(i) to the ith application that is called up? Maintain i as a counter. The
main problem is replay. Say f
K
(i) is revealed as above. Now start up a new session claiming this is the key.
Thus our goal should be to distribute session keys in such a way that keys distributed to one session are totally
independent of one another.
This is not the only problem with this protocol. The other problem is a lack of adherence to good design
principles. Rather than illutrate this here, however, let us look at a simpliﬁed Kerberos.
Kerberos
This is a simpliﬁed version 5. The full Kerberos is a hugely complex thing, with the Kerberos authentication
server, ticket granting service, and clients, but we extract out a basic three party protocol.
A → S: A, B
S → A: ¦T, α, B¦
a

t
B
. .. .
¦T, α, A¦
b
A → B: ¦A, T¦
α
t
B
B → A: ¦T + 1¦
α
Any discernible attacks? Not really. But a lack of basic cryptographic design principles.
Look at the ﬂow ¦T, α, B¦
a
. It is encrypted. Why? What is the goal? What properties do we want? Is the
desired property secrecy? Certainly for α, but why the rest? So why encrypt? What should we really do? Let’s
try to ﬁgure out what is the problem. Let’s look at each term and ask what we want from it:
α: must be secret
Why should T be secret? No need. It is known, pretty much, anyway!
Why should B be secret? It is known!
authentication We want A to know that α came from S. What we need is that it be associated to α in an
“unforgeable” way.
What is the tool to provide authenticity? MACs. Use them. What should this ﬂow really be?
The only thing to encrypt is α. So let C = c
a
(α). Now this must be authenticatlly tied to the other quantities.
So the ﬂow should be T, B, C, MAC
a
(T, B, C). Similarly with other quantities. Let them do it. Also ¦A, T¦
α
is an encryption. Why? The inner things are not secret data, we don’t want to hide them. What in fact is the
purpose of the ﬂow? Apparently to “conﬁrm” key α. This is not a good way to do it.
I claim sending ¦A, T¦
α
is a design ﬂaw. Why? It is a deterministic function of α. So it reveals partial
information about α. This can be harmful. This goes back to our previous discussions about what are session
keys. Recall they have to be good for any use. So partial information should not leak.
214 Goldwasser and Bellare
A good protocol
Fix a private key encryption scheme (/, c, T) which is secure in the sense discussed in Chapter 6. Also ﬁx a
message authentication scheme (/
t
, MAC, VF) which is secure in the sense discussed in Chapter 9. The key K
I
shared between the server S and party I is a pair (K
e
I
, K
m
I
) of keys, one a key for the encryption scheme and
the other a key for the message authentication scheme. We now consider parties A, B, whose keys K
A
and K
B
,
respectively have this form. A terse representation of the protocol of [17] is is given in Figure 11.1, and a more
complete explanation follows.
Flow 1. A → B: R
A
Flow 2. B → S: R
A
R
B
Flow 3A. S → A: c
K
e
A
(α)  MAC
K
m
A
(ABR
A
c
K
e
A
(α))
Flow 3B. S → B: c
K
e
B
(α)  MAC
K
m
B
(ABR
B
c
K
e
B
(α))
Figure 11.1: Three party session key distribution protocol.
Here now is a more complete description of the ﬂows and accompanying computations:
(1) In Step 1, party A chooses a random challenge R
A
and sends it to B.
(2) In Step 2, party B chooses a random challenge R
B
and sends R
A
R
B
to S.
(3) In Step 3, S picks a random lbit session key α which he will distribute. Then S encrypts this session
key under each of the parties’ shared keys. Namely he computes the ciphertexts α
A
= c
K
e
A
(α) and
α
B
= c
K
e
B
(α). Then S computes µ
A
= MAC
K
m
A
(ABR
A
α
A
) and µ
B
= MAC
K
m
B
(ABR
B
α
B
). In
ﬂow 3A (resp. 3B) S sends A (resp. B) the message α
A
µ
A
(resp. α
B
µ
B
).
(4) In Step 4A (resp. 4B) Party A (resp. B) receives a message α
t
A
µ
t
A
(resp. α
t
B
µ
t
B
) and accepts, with session
key T
K
e
A
(α
t
A
) (resp. T
K
e
B
(α
t
B
)), if and only if VF
K
m
A
(ABR
A
α
t
A
, µ
t
A
) = 1 (resp. VF
K
m
B
(ABR
B
α
t
B
,
µ
t
A
) = 1).
This protocol has four ﬂows. Typically, the three party key distribution protocols you will see in the literature
have ﬁve. Four suﬃces if it is ok for S to communicate directly with each party. If only one party communicates
directly with S, then ﬁve ﬂows are used, since the ﬂow from S to B has to be forwarded via A.
11.4 Authenticated key exchanges
We now look at the two party case, both symmetric and asymmetric. We look at providing authentic exchange
of a session key, meaning the parties want to authenticate one another and simultaneously come into possession
of a shared secret session key. The formal model, and the deﬁnition of what constitutes a secure authenticated
session key distribution protocol, are provided in [16]. Here we will only describe some protocols.
First however let us note some conventions. We assume the parties want to come into possession of a lbit,
random shared secret key, eg. l = 56. (More generally we could distribute a key from some arbitrary samplable
distribution, but for simplicity let’s stick to what is after all the most common case.) The session key will be
denoted by α.
Whenever a party A sends a ﬂow to another party B, it is understood that her identity A accompanies the ﬂow,
so that B knows who the ﬂow purports to come from. (This has nothing to do with cryptography or security:
it is just a service of the communication medium. Note this identity is not secured: the adversary can change
it. If the parties want the claim secured, it is their responsibility to use cryptography to this end, and will see
how they do this.)
Cryptography: Lecture Notes 215
11.4.1 The symmetric case
Let K be the (longlived) key shared between the parties.
The ISO protocol
The ISO protocol was actually just for authentication, but can be viewed as key distribution in some way. It
doesn’t matter to illustrate the problems.
A
N
1
 B
c
K
(N
2
)c
K
(N
1
)
N
2

Figure 11.2: ISO Protocol
If you want to derive a session key, you can do it by setting the key to F
K
(N
1
N
2
) where F is a PRF family.
The attack is to make A think it authenticated B when in fact B never sent a single message to anyone. It
works by making A talk to itself. Works like this:
A
1
→ B
1
: N
1
. Namely adversary asks A for to start a session, claiming to be B. But the ﬂow goes to E.
E → A
2
: N
1
. Namely adversary says she is B and is starting a session with A, and this is the ﬁrst ﬂow.
A
2
→ E: c
K
(N
2
)c
K
(N
1
). Namely A responds in the second session, thinking it is talking to B, but E
picks up the ﬂow.
E → A
1
: c
K
(N
2
)c
K
(N
1
). Namely E claims this is the response from B to A in ﬁrst session.
A
1
→ E: N
2
. A
1
decrypts and sends answer in ﬁrst session, and accepts B.
E → A
2
: N
2
again A
2
accepts B.
You have two instances of A, each having accepted B, but B never opened his mouth.
A good protocol
We ﬁx a private key encryption scheme (/, c, T) and a private key message authentication scheme (/
t
, MAC, VF).
The key K is divided into two parts, K
e
and K
m
, the ﬁrst to be used for encryption and the second for message
authentication. The protocol, called Authenticated Key Exchange Protocol 1, is depicted in Figure 11.3, and a
more complete description of the ﬂows follows.
Here is a more complete description of the ﬂows:
(1) A picks at random a string R
A
and sends it to B
(2) B picks at random a string R
B
. She also picks at random an lbit session key α. She encrypts it under K
e
to produce the ciphertext C = c
K
e(α). She now computes the tag µ = MAC
K
m(BAR
A
R
B
C). She
sends R
B
, C, µ to A.
216 Goldwasser and Bellare
A
R
A
 B
R
B
c
K
e(α)MAC
K
m(BAR
A
R
B
c
K
e(α))
MAC
K
m(AR
B
)

Figure 11.3: Protocol AKEP1: Session key distribution in symmetric setting.
(3) A veriﬁes that VF
K
m(BAR
A
R
B
C, µ) = 1. If this is the case she computes the tag MAC
K
m(AR
B
)
and sends it to B. She also decrypts C via α = T
K
e(C) to recover the session key.
(4) B veriﬁes the last tag and accepts (outputting session key α) if the last tag was valid.
Remark 11.1 Notice that both encryption and message authentication are used. As we mentioned above,
one of the commonly found fallacies in session key distribution protocols is to try to use encryption to provide
authentication. One should really use a message authentication code.
Remark 11.2 It is important that the encryption scheme (/, c, T) used above be secure in the sense we have
discussed in Chapter 6. Recall in particular this means it is probabilistic. A single plaintext has many possible
ciphertexts, depending on the probabilistic choices made by the encryption algorithms. These probabilistic
choices are made by S when the latter encrypts the session key, independently for the two encryptions it
performs. This is a crucial element in the security of the session key.
These remarks apply also to the protocols that follow, appropriately modiﬁed, of course, to reﬂect a change in
setting. We will not repeat the remarks.
11.4.2 The asymmetric case
We will be using public key cryptography. Speciﬁcally, we will be using both public key encryption and digital
signatures.
Fix a public key encryption scheme, and let c, T denote, respectively, the encryption and the decryption
algorithms for this scheme. The former takes a public encryption key pk
e
and message to return a ciphertext,
and the latter takes the secret decryption key sk
e
and ciphertext to return the plaintext. This scheme should
be secure in the sense we have discussed in Chapter 7.
Fix a digital signature scheme, and let o, 1 denote, respectively, the signature and veriﬁcation algorithms for
this scheme. The former takes a secret signing key sk
d
and message to return a signature, and the latter takes
the public veriﬁcation key pk
d
, message, and candidate signature to return an indication of whether or not the
signature is valid. This scheme should be secure in the sense we have discussed in Chapter 10.
Every user I in the system has a public key pk
I
which is in fact a pair of public keys, pk
I
= (pk
e
I
, pk
d
I
), one for
the encryption scheme and the other for the signature scheme. These keys are known to all other users and the
adversary. However, the user keeps privately the corresponding secret keys. Namely he holds sk
I
= (sk
e
I
, sk
d
I
)
and nobody else knows these keys.
Recall the model is that A has B’s public key pk
B
and B has A’s public key pk
A
. The protocol for the parties
to get a joint, shared secret key α is depicted in Figure 11.4, and a more complete explanation follows.
Cryptography: Lecture Notes 217
A
R
A
 B
R
B
c
pk
e
A
(α)o
sk
d
B
(BAR
A
R
B
c
pk
e
A
(α))
o
sk
d
A
(AR
B
)

Figure 11.4: Protocol for exchange of symmetric key in asymmetric setting.
Here is a more complete description of the ﬂows:
(1) A picks at random a string R
A
and sends it to B
(2) B picks at random a string R
B
. She also picks at random an lbit session key α. She encrypts it
under A’s public key pk
e
A
to produce the ciphertext C = c
pk
e
A
(α). She now computes the signature
µ = o
sk
d
B
(AR
A
R
B
C), under her secret signing key sk
d
B
. She sends R
B
, C, µ to A.
(3) A veriﬁes that 1
pk
d
B
(AR
A
R
B
C, µ) = 1. If this is the case she computes the signature o
sk
d
A
(R
B
) and
sends it to B. She also decrypts C via α = T
sk
e
A
(C) to recover the session key.
(4) B veriﬁes the last signature and accepts (outputting session key α) if the last signature was valid.
11.5 Forward secrecy
Forward secrecy is an extra security property that a session key can have and which seems very desirable.
Consider, for concreteness, the protocol of Figure 11.4 for exchange of a symmetric key in the asymmetric setting.
Suppose A and B have run this protocol and exchanged a session key α, and used it to encrypt data. Suppose
the adversary recorded the transcript of this exchange. This means she has in her possession C = c
pk
e
A
(α), the
encrypted session key, and also any ciphertexts encrypted under α that the parties may have transmitted, call
them C
1
, C
2
, . . .. Since the session key distribution protocol is secure, the information she has doesn’t give her
anything; certainly she does not learn the session key α.
Now that session is over. But now suppose, for some reason, the long lived key of A is exposed. Meaning the
adversary, somehow, gets hold of sk
A
= (sk
e
A
, sk
d
A
).
Certainly, the adversary can compromise all future sessions of A. Yet in practice we would expect that A would
soon realize her secret information is lost and revoke her public key pk
A
= (pk
e
A
, pk
d
A
) to mitigate the damage.
However, there is another issue. The adversary now has sk
e
and can decrypt the ciphertext C to get α. Using
this, she can decrypt C
1
, C
2
, . . . and thereby read the conﬁdential data that the parties sent in the past session.
This does not contradict the security of the basic session key distribution protocol which assumed that the
adversary does not gain access to the longlived keys. But we might ask for a new and stronger property.
Namely that even if the adversary got the longlived keys, at least past sessions would not be compromised.
This is called forward secrecy.
Forward secrecy can be accomplished via the DiﬃeHellman key exchange with which we began this chapter.
Let us give a protocol. We do so in the asymmetric, two party setting; analogous protocols can be given in the
other settings. The protocol we give is an extension of the STS protocol of [73]. It is depicted in Figure 11.5
and a more complete explanation follows.
218 Goldwasser and Bellare
A
g
x
 B
g
y
o
sk
d
B
(BAg
x
g
y
)
o
sk
d
A
(Ag
y
)

Figure 11.5: Protocol for exchange of symmetric key with forward secrecy.
Here is a more complete description of the ﬂows:
(1) A picks at random a string x, computes X = g
x
, and sends it to B
(2) B picks at random a string y and lets Y = g
y
. She now computes the signature µ = o
sk
d
B
(AXY ), under
her secret signing key sk
d
B
. She sends Y, µ to A.
(3) A veriﬁes that 1
pk
d
B
(AXY, µ) = 1. If this is the case she computes the signature o
sk
d
A
(Y ) and sends it
to B. She also decrypts outputs the DH key g
xy
= Y
x
as the session key.
(4) B veriﬁes the last signature and accepts (outputting session key g
xy
= X
y
) if the last signature was valid.
The use of the DH secret key exchange protocol here is intriguing. Is that the only way to get forward secrecy?
It turns out it is. Bellare and Rogaway have noted that secret key exchange is not only suﬃcient but also
necessary for the forward secrecy property [24].
As we noted in Section 11.1.4, the DH key is not by itself a good key because we cannot guarantee bit security.
Accordingly, the session key in the above should actually be set to, say, H(g
xy
) rather than g
xy
itself, for a
“good” hash function H.
C h a p t e r 12
Protocols
Classical cryptography is concerned with the problem of security communication between users by providing
privacy and authenticity. The need for an underlying infrastructure for key management leads naturally into
the topic of key distribution. For many years this is all there was to cryptography.
One of the major contributions of modern cryptography has been the development of advanced protocols. These
protocols enable users to electronically solve many real world problems, play games, and accomplish all kinds
of intriguing and very general distributed tasks. Amongst these are zeroknowledge proofs, secure distributed
computing, and voting protocols. The goal of this chapter is to give a brief introduction to this area.
12.1 Some two party protocols
We make reference to some number theoretic facts in Section C.6.
12.1.1 Oblivious transfer
This protocol was invented by M. Rabin [172].
An oblivious transfer is an unusual protocol wherein Alice transfers a secret bit m to Alice in such a way that
the bit is transferred to Bob with probability 1/2;Bob knows when he gets the bit, but Alice doesn’t know
whether it was transferred or not.
This strangesounding protocol has a number of useful applications (see, for example [172, 32]). In fact, Kilian
has shown [123] that the ability to perform oblivious transfers is a suﬃciently strong primitive to enable any
twoparty protocol to be performed.
The following implementation for oblivious transfer has been proposed in the literature (related ideas due to
Rabin and Blum.)
(1) Alice picks two primes p, q at random and multiplies them to produce the modulus N = pq. She encrypts
the message m under this modulus in some standard way, having the property that if you know p, q then
you can decrypt, else you can’t. She sends N and the ciphertext C to Bob.
(2) Bob picks a ∈ Z
∗
N
at random and sends w = a
2
mod N to Alice.
(3) Alice computes the four square roots x, −x, y, −y of w, picks one at random and sends it back to Bob
(4) If Bob got back the root which is not ±a he can factor N and recover m. Else he can’t.
219
220 Goldwasser and Bellare
And Alice doesn’t know which happened since a was random.
It is fairly clear that there is no way for A to cheat in this protocol, since A does not know which square root
of z B knows, as x was chosen at random. On ﬁrst sight it looks like B cannot get anything either, since he
only obtains a square root of a random square. However, a formal proof of this fact is not known. It is not
clear whether B can cheat or not. For example, if B chooses a particular value of z instead of choosing x at
random and setting z = x
2
(mod n), then this may lead to an advantage in factoring n. It is conceivable, for
example, that knowing a square root of (n1)/2 mod n (or some other special value) could allow B to factor n.
Thus condition ii) is satisﬁed, but we can’t prove whether or not the ﬁrst condition is satisﬁed.
If we had a method by which B could prove to A that he indeed followed the protocol and choose x at random
without revealing what x is, the protocol could be modiﬁed to provably work. We will see in a later section on
zeroknowledge proofs on how such proofs can be done.
There is another form of OT called 1 out of 2 OT. Here Alice has two secrets, m
0
and m
1
. Bob has a selection
bit c. At the end of the protocol, Bob gets b
c
and Alice still does not know c. See [81].
12.1.2 Simultaneous contract signing
Alice and Bob want to sign the contract, but only if the other person does as well. That is, neither wants to be
left in the position of being the only one who signs. Thus, if Alice signs ﬁrst, she is worried Bob will then not
sign, and vice versa. (Maybe easier to think of having two contracts, the ﬁrst promising something to Alice, the
second to Bob. It is a trade. Obviously, each wants the other one to sign.) This problem was proposed in [81].
One approach is that Alice signs the ﬁrst letter of her name and sends the contract to Bob. He does likewise,
and sends it back. And so on. Assume their names have the same length. Then this makes some progress
towards a solution. Of course the problem is the person who must go last can stop. But you can make this a
negligible diﬀerence. For example, not a letter at a time, but a few millimeters of the letter at a time. No party
is ever much ahead of the other. If at some point they both stop, they both are at about the same point.
Electronically, we are exchanging strings, which are digital signatures of the contract. Alice has signed it to
produce σ
A
and Bob has signed it to produce σ
B
. Now they exchange these strings a bit at a time, each time
sending one more bit.
There is a problem with this. What if one person does not send the signature, but just some garbage string?
The other will not know until the end. Even, Goldreich and Lempel [81] show how oblivious transfer can be
used to ﬁx this.
Alice creates L
A
which is the signature of the contract together with the phrase “this is my signature of the left
half of the contract.” Similarly she creates R
A
which is the signature of the contract together with the phrase
“this is my signature of the right half of the contract.” Similarly, Bob creates L
B
and R
B
.
Also Alice picks two DES keys, K
L
A
and K
R
A
, and encrypts L, R respectively to produce C
L
A
and C
R
A
. Similarly
for Bob, replacing As by Bs.
The contract is considered signed if you have both halves of the other person’s signature.
All the ciphertexts are sent to the other party.
Alice 1 out of two OTs (K
L
A
, K
R
A
) to Bob with the latter choosing a random selection bit, and vice versa. Say
Bob gets K
L
A
and Alice gets K
R
B
.
Alice and Bob send each the ﬁrst bits of both DES keys. Keep repeating until all bits of all keys are sent. In
this phase, if a party catches a mistake in the bits corresponding to the key it already has, it aborts, else it
continues.
12.1.3 Bit Commitment
Bob wants Alice to commit to some value, say a bid, so that she can’t change this at a later time as a function
of other things. On the other hand, Alice does not want Bob to know, at this time, what is the value she is
Cryptography: Lecture Notes 221
committing to, but will open it up later, at the right time.
Alice makes up an “electronic safe.” She has a key to it. She puts the value in the safe and sends the safe
to Bob. The latter can’t open it to extract the contents. This is a committal. Later, Alice will decommit by
sending the key. Now Bob can open it. What must be true is that Alice can’t produce a safe having two keys,
such that either open it, and when you look inside, you see diﬀerent values.
One way to implement this is via collisionfree hashing. To commit to x Alice sends yH(x). From this Bob
can’t ﬁgure out x, since H is oneway. To decommit, Alice sends x and Bob checks that H(x) = y. But Alice
can’t ﬁnd x
t
= x such that H(x
t
) = y, so can’t cheat.
This however has poor bit security. You can ﬁx it with hardcore bits.
Another way is to use quadratic residues. First, we ﬁx a particular number y ∈ Z
∗
N
which is known to be a
nonresidue. Commit to a 0 by sending a random square mod N, namely x
2
, and to a 1 by sending a random
nonsquare mod N, in the form yx
2
. The QRA says Bob can’t tell which is which. To decommit, reveal x in
either case.
Notice the QR commitment scheme is secure even against a sender who has unbounded computing power. But
not the receiver.
Can you do the opposite? Yes, use discrete logarithms. Let p be a known prime, g ∈ Z
∗
p
a known generator of
Z
∗
p
, and s ∈ Z
∗
p
a known element of unknown discrete logarithm, namely log
g
(s) is not known. Commit to 0 by
picking x at random and sending y = g
x
; to a 1 by sending sg
x
. Notice that to the receiver, each is a random
element of the range. But what if the sender could create a y that could be opened both ways? It would have
the discrete logarithm of s.
Commitment schemes are useful for lots of things. In particular, ZK proofs, but also coin ﬂipping.
12.1.4 Coin ﬂipping in a well
Blum [40] has proposed the problem of coin ﬂipping over the telephone. Alice and Bob want a fair, common,
coin. They want to take a random choice, but neither should be able to dictate it. Heads Alice wins, and tails
Bob wins.
What if Bob says, “I’ll ﬂip the coin and send you the value.” No good. Bob will just ﬂip to win. They must
both inﬂuence the value.
Here is a thought. Alice picks a random bit a and sends it to Bob, and Bob picks a random bit b and send it
to Alice, and the value of the coin is a⊕b. The problem is who goes ﬁrst. If Alice goes ﬁrst, Bob will choose b
to make the coin whatever he wants. Not fair.
So what Alice does is ﬁrst commit to her coin. She sends y = Committ(a) to Bob. Now Bob can’t make b a
function of a. He sends back b, in the clear. Alice may want to make a a function of b, but it is too late since a
is committed to. She decommits, and the coin is a⊕b.
12.1.5 Oblivious circuit evaluation
Alice and Bob want to know which of them is older. But neither wants to reveal their age. (Which means they
also don’t want the reveal the age diﬀerence, since from this and their own age, each gets the other’s age too!)
They just want a single bit to pop out, pointing to the older one.
Sometimes called the Millionaires problem, with the values being the earning of each millionaire.
In general, the problem is that Alice has an input x
A
and Bob has an input x
B
and they want to compute
f(x
A
, x
B
) where f is some known function, for example f(x
A
, x
B
) = 1 if x
A
≥ x
B
and 0 otherwise. They want
to compute it obliviously, so that at the end of the game they both have the value v = f(x
A
, x
B
) but neither
knows anything else.
There are protocols for this task, and they are quite complex. We refer the reader to [10, 47]
222 Goldwasser and Bellare
12.1.6 Simultaneous Secret Exchange Protocol
This has been studied in [41, 204, 137, 210].
The protocol given here is an example of a protocol that seems to work at ﬁrst glance, but is in actuality open
to cheating for similar reasons that the above oblivious transfer protocol was open to cheating. The common
input consists of 1
k
, α ∈ E
n
A
(s
A
), β ∈ E
n
B
(s
B
), n
A
, and n
B
, where n
A
and n
B
are each products of two equal
size primes congruent to 3 mod 4; E
n
A
(E
n
B
) are the same encryption as in the oblivious transfer protocol
above with respect to n
A
(n
B
respectively). A’s private input has in it the prime factorization n
A
= p
A
q
A
of
n
A
and B’s contains the same for n
B
. What we want is for A and B to be able to ﬁgure out s
B
and s
A
at
the “same time”. We assume equal computing power and knowledge of algorithms. The suggested protocol of
Blum [41] follows .
Step 1: A picks a
1
, a
2
, ..., a
K
at random in Z
∗
n
B
and then computes b
i
= a
2
i
(mod n
B
) for 1 ≤ i ≤ k. B picks
w
1
, w
2
, ..., w
k
at random in Z
n
B
and then computes x
i
= w
i
∗ (mod n
A
) for 1 ≤ i ≤ k.
Step 2: A sends all the b
i
’s to B and B sends all the x
i
’s to A.
Step 3: For each x
i
A computes y
i
and z
i
such that y
2
i
= z
2
i
= x
i
(mod n
A
) but y
i
= ±z
i
mod n
B
. (Note: either
y
i
or z
i
equals ±w
i
.) For each b
i
, B computes c
i
and d
i
with similar restrictions. (Note: either c
i
or d
i
equal ±a
i
.
Step 4: While 1 ≤ j ≤ k A sends B the jth signiﬁcant bit of y
i
and z
i
for 1 ≤ i ≤ k. B sends A the jth signiﬁcant
bit of c
i
and d
i
for 1 ≤ i ≤ k.
Step 5: After completing the above loop, A (and B) ﬁgure out the factorization of n
B
(and n
A
) with the
information obtained in Step 4. (A computes gcd(c
i
− d
i
, n
B
) for each i and B computes gcd (y
i
− z
i
, n
A
) for
each i. Using this information, they ﬁgure out s
B
and s
A
by decrypting α and β.
Why are k numbers chosen rather that just one? This is to prevent the following type of cheating on the A
and B’s behalf. Suppose only one x was sent to A. A could ﬁgure out y and z and then send the jth signiﬁcant
bits of y and a junk string to B in Step 4, hoping that y = ±w and A will not notice that junk is being sent.
If y = ±w then B has no way of knowing that A is cheating until the last step, at which time A has all the
information he needs to ﬁnd s
B
, but B has not gained any new information to ﬁnd s
A
. So A can cheat with a
50% chance of success. If, on the other hand, k diﬀerent x’s are sent to A, A has an exponentially vanishing
chance of successfully cheating in this fashion. Namely Prob(y
i
= ±w
i
∀i) ≤ (
1
2
)
k
.
Unfortunately, Shamir, and H˚astad pointed out a way to successfully cheat at this protocol. If, instead of
choosing the w
i
’s at random, A chooses w
1
at random, sets x
1
= w
2
1
(mod n
B
), and then sets x
i
= x
1
/2
i−1
(mod n
B
), then after one iteration of Step 4, A has all of the information that he needs to factor n
B
by the
reduction of [106]. So, a seemingly good protocol fails, since B has no way to check whether A chose the x
i
s at
random independently from each as speciﬁed in the protocol or not. Note: that this problem is similar to the
problem which arose in the oblivious transfer protocol and can be corrected if A and B could check that each
other was following the protocol.
12.2 ZeroKnowledge Protocols
The previous sections listed a number of cryptographic protocol applications and some problems they suﬀer
from. In this section we review the theory that has been developed to prove that these protocols are secure, and
to design protocols that are “provably secure by construction”. The key idea is to reduce the general problem
of twoparty protocols to a simpler problem: How can A prove to B that x is in a language L so that no more
Cryptography: Lecture Notes 223
knowledge than x ∈ L is revealed. If this could be done for any L ∈ NP A could prove to B that he followed
the protocol steps. We proceed to deﬁne the loose terms “interactive proof” (or “proof by a protocol”) and
“zero knowledge”.
12.2.1 Interactive ProofSystems(IP)
Before deﬁning notion of interactive proofsystems, we deﬁne the notion of interactive Turing machine.
Deﬁnition 12.1 An interactive Turing machine (ITM) is a Turing machine with a readonly input tape, a
readonly random tape, a read/write worktape, a readonly communication tape, a writeonly communication
tape, and a writeonly output tape. The random tape contains an inﬁnite sequence of bits which can be thought
of as the outcome of unbiased coin tosses, this tape can be scanned only from left to right. We say that an
interactive machine ﬂips a coin to mean that it reads the next bit from its random tape. The contents of the
writeonly communication tape can be thought of as messages sent by the machine; while the contents of the
readonly communication tape can be thought of as messages received by the machine.
Deﬁnition 12.2 An interactive protocol is an ordered pair of ITMs (A, B) which share the same input tape;
B’s writeonly communication tape is A’s readonly communication tape and vice versa. The machines take
turns in being active with B being active ﬁrst. During its active stage, the machine ﬁrst performs some internal
computation based on the contents of its tapes, and second writes a string on its writeonly communication tape.
The i
th
message of A(B) is the string A(B) writes on its writeonly communication tape in i
th
stage. At this
point, the machine is deactivated and the other machine becomes active, unless the protocol has terminated.
Either machine can terminate the protocol, by not sending any message in its active stage. Machine B accepts
(or rejects) the input by entering an accept (or reject) state and terminating the protocol. The ﬁrst member of
the pair, A, is a computationally unbounded Turing machine. The computation time of machine B is deﬁned
as the sum of B’s computation time during its active stages, and it is bounded by a polynomial in the length
of the input string.
Deﬁnition 12.3 Let L ∈ ¦0, 1¦
∗
We say that
L has an interactive proofsystem if ∃ ITM V s.t.
1. ∃ ITM P s.t (P, V ) is an interactive protocol and ∀x ∈ L s.t [x[ is suﬃciently large the prob(V accepts) >
2
3
(when probabilities are taken over coin tosses of V and P).
2. ∀ ITM P s.t (P, V ) is an interactive protocol ∀x / ∈ L s.t. [x[ is suﬃciently large Prob(V accepts) >
1
3
(when probabilities are taken over coin tosses of V and P’s).
Note that it does not suﬃce to require that the veriﬁer cannot be fooled by the predetermined prover (such a
mild condition would have presupposed that the “prover” is a trusted oracle). NP is a special case of interactive
proofs, where the interaction is trivial and the veriﬁer tosses no coins.
We say that (P, V ) (for which condition 1 holds) is an interactive proofsystem for L.
Deﬁne IP = ¦L [ L has interactive proof ¦ .
12.2.2 Examples
Notation
Throughout the lecture notes, whenever an interactive protocol is demonstrated, we let B −→ A : denote an
active stage of machine B, in the end of which B sends A a message. Similarly, A −→ B : denotes an active
stage of machine A.
224 Goldwasser and Bellare
Example 1: (From Number Theory)
Let Z
∗
n
= ¦x < n, ; (x, n) = 1¦
QR = ¦(x, n) [ x < n, (x, n) and ∃y s.t y
2
≡ x mod n¦
QNR = ¦(x, n) [ x < n, (x, n) and ∃ /y s.t y
2
≡ x mod n¦
We demonstrate an interactive proofsystem for QNR.
On input (x, n) to interactive protocol (A, B):
B −→ A : B sends to A the list w
1
w
k
where k =[ n [ and
w
i
=
z
2
i
mod n if b
i
= 1
x z
2
i
mod n if b
i
= 0
where B selected z
i
∈ Z
∗
n
, b
i
∈ ¦0, 1¦ at random.
A −→ B : A sends to B the list c
1
c
k
s.t.
c
i
=
1 if w
i
is a quadratic residue mod n
0 otherwise
B accepts iﬀ ∀
1≤i≤k
, c
i
= b
i
B interprets b
i
= c
i
as evidence that (x, n) ∈ QRN;while b
i
= c
i
leads him to reject.
We claim that (A, B) is an interactive proofsystem for QNR. If (x, n) ∈ QNR, then w
i
is a quadratic residue
modn iﬀ b
i
= 1. Thus, the all powerful A can easily compute whether w
i
is a quadratic residue modn or not,
compute c
i
correctly and make B accept with probability 1. If (x, n) / ∈ QNR and (x, n) ∈ QR then w
i
is a
random quadratic residue modn regardless of whether b
i
= 0 or 1. Thus, the probability that A (no matter
how powerful he is) can send c
i
s.t c
i
= b
i
, is bounded by
1
2
for each i and probability that B accepts is at most
(
1
2
)
k
.
Example 2: (From Graph Theory)
To illustrate the deﬁnition of an interactive proof, we present an interactive proof for Graph NonIsomorphism.
The input is a pair of graphs G
1
and G
2
, and one is required to prove that there exists no 11 edgeinvariant
mapping of the vertices of the ﬁrst graph to the vertices of the second graph. (A mapping π from the vertices of
G
1
to the vertices G
2
is edgeinvariant if the nodes v and u are adjacent in G
1
iﬀ the nodes π(v) and π(u) are
adjacent in G
2
.) It is interesting to note that no short NPproofs are known for this problem; namely Graph
Nonisomorphism is not known to be in NP.
The interactive proof (A, B) on input (G
1
, G
2
) proceeds as follows:
B −→ A : B chooses at random one of the two input graphs, G
αi
where α
i
∈ ¦1, 2¦. B creates a random isomorphic copy of G
αi
and sends it to A. (This is repeated k times, for
1 ≤ i ≤ k, with independent random choices.)
A −→ B : A sends B β
i
∈ ¦1, 2¦ for all 1 ≤ i ≤ k.
B accepts iﬀ β
i
= α
i
for all 1 ≤ i ≤ k.
B interprets β
i
= α
i
as evidence that the graphs are not isomorphic; while β
i
= α
i
leads him to reject.
If the two graphs are not isomorphic, the prover has no diﬃculty to always answer correctly (i.e., a β equal
to α), and the veriﬁer will accept. If the two graphs are isomorphic, it is impossible to distinguish a random
isomorphic copy of the ﬁrst from a random isomorphic copy of the second, and the probability that the prover
answers correctly to one “query” is at most
1
2
. The probability that the prover answers correctly all k queries
is ≤ (
1
2
)
k
.
Cryptography: Lecture Notes 225
12.2.3 ZeroKnowledge
Now that we have extended the notion of what is an eﬃcient proofsystem, we address the question of how
much “knowledge” need to be transferred in order to convince a polynomialtime bounded veriﬁer, of the truth
of a proposition. What do we mean by “knowledge”? For example, consider SAT, the NPcomplete language of
satisﬁable sentences of propositional calculus. The most obvious proofsystem is one in which on logical formula
F the prover gives the veriﬁer a satisfying assignment I, which the veriﬁer can check in polynomial time. If
ﬁnding this assignment I by himself would take the veriﬁer more than polynomial time (which is the case if
P = NP), we say that the veriﬁer gains additional knowledge to the mere fact that F ∈ SAT.
Goldwasser, Micali and Rackoﬀ [103] make this notion precise. They call an interactive proofsystem for language
L zeroknowledge if ∀x ∈ L whatever the veriﬁer can compute after participating in the interaction with the
prover, could have been computed in polynomial time on the input x alone by a probabilistic polynomial time
Turing machine.
We give the technical deﬁnition of zeroknowledge proofsystems and its variants in section 12.2.4, and brieﬂy
mention a few interesting results shown in this area.
12.2.4 Deﬁnitions
Let (A, B) be an interactive protocol. Let view be a random variable denoting the veriﬁer view during the
protocol on input x. Namely, for ﬁxed sequence of coin tosses for A and B, view is the sequences of messages
exchanged between veriﬁer and prover, in addition to the string of coin tosses that the veriﬁer used. The string
h denotes any private input that the veriﬁer may have with the only restriction that its length is bounded by a
polynomial in the length of the common input. (view is distributed over both A’s and B’s coin tosses).
We say that (A, B) is perfect zeroknowledge for L if there exists a probabilistic, polynomial time Turing machine
M s.t ∀x ∈ L, for all a > 0, for all strings h such that [h[ < [x[
a
, the random variable M(x, h) and view are
identically distributed. (M(x, h) is distributed over the coin tosses of M on inputs x and h).
We say that (A, B) is statistically zeroknowledge for L if there exists a probabilistic polynomial time Turing
machine M s.t ∀x ∈ L, for all a > 0, for all strings h such that [h[ < [x[
a
,
¸
α
[prob(M(x, h) = α) −prob(view = α)[ <
1
[x[
c
for all constants c > 0 and suﬃciently large [x[.
Intuitively the way to think of statistically zeroknowledge protocols, is that an inﬁnite power “examiner” who
is given only polynomially large samples of ¦M(x, h)[M’s coin tosses ¦ and ¦view [A’s and B’s coin tosses¦ can’t
tell the two sets apart.
Finally, we say that a protocol (A, B) is computationally zeroknowledge if a probabilistic polynomial time
bounded “examiner” given a polynomial number of samples from the above sets can not tell them apart.
Formally,
We say that (A, B) is computationally zeroknowledge for L if ∃ probabilistic, polynomial time Turing machine
M s.t ∀ polynomial size circuit families C = ¦C
]x]
¦, ∀ constants a, d > 0, for all suﬃciently large [x[ s.t x ∈ L,
and for all strings h such that [h[ < [x[
a
,
prob(C
]x]
(α) = 1[α random in M(x, h)) −prob(C
]x]
(α) = 1[α random in view(x))[ <
1
[x[
d
We say that L has (computational/statistical/perfect) zeroknowledge proofsystem if
1. ∃ interactive proofsystem (A, B) for L.
2. ∀ ITM’s B
t
, interactive protocol (A, B
t
) is (computational/statistical/perfect) zeroknowledge for L.
Clearly,the last deﬁnition is the most general of the three. We thus let KC[0] = ¦L[L has computational zeroknowledge proofsystem¦.
226 Goldwasser and Bellare
12.2.5 If there exists one way functions, then NP is in KC[0]
By far, the most important result obtained about zeroknowledge is by Goldreich, Micali and Wigderson [99].
They show the following result.
Theorem[99]: if there exist (nonunifrom) polynomialtime indistinguishable encryption scheme then every
NP language has a computational zeroknowledge interactive proofsystem.
The non uniformity condition is necessary for technical reasons (i.e the encryption scheme should be secure
against nonuniform adversary. see section 3.7). The latest assumption under which such encryption scheme
exists is the existence of oneway functions (with respect to nonuniform adversary) by results of Imagliazzo
LevinLuby and Naor.
The proof outline is to show a zeroknowledge proof system for an NPcomplete language, graph three colorabil
ity. We outline the protocol here. Suppose the prover wish to convince the veriﬁer that a certain input graph
is threecolorable, without revealing to the veriﬁer the coloring that the prover knows. The prover can do so in
a sequence of [E[
2
stages, each of which goes as follows.
• The prover switchs the three colors at random (e.g., switching all red nodes to blue, all blue nodes to
yellow, and all yellow nodes to red).
• The prover encrypts the color of each node, using a diﬀerent probabilistic encryption scheme for each node,
and show the veriﬁer all these encryptions, together with the correspondence indicating which ciphertext
goes with which vertex.
• The veriﬁer selects an edge of the graph at random.
• The prover reveals the decryptions of the colors of the two nodes that are incident to this edge by revealing
the corresponding decryption keys.
• The veriﬁer conﬁrms that the decryptions are proper, and that the two endpoints of the edge are colored
with two diﬀerent but legal colors.
(any private probabilistic encryption scheme which is polynomial time indistinguishable will work here) If the
graph is indeed threecolorable (and the prover know the coloring), then the veriﬁer will never detect any edge
being incorrectly labeled. However, if the graph is not threecolorable, then there is a chance of at least [E[
−1
on each stage that the prover will be caught trying to fool the veriﬁer. The chance that the prover could fool
the veriﬁer for [E[
2
stages without being caught is exponentially small.
Note that the history of our communications—in the case that the graph is threecolorable—consists of the
concatenation of the messages sent during each stage. It is possible to prove (on the assumption that secure
encryption is possible) that the probability distribution deﬁned over these histories by our set of possible
interactions is indistinguishable in polynomial time from a distribution that the veriﬁer can create on these
histories by itself, without the provers participation. This fact means that the veriﬁer gains zero (additional)
knowledge from the protocol, other than the fact that the graph is threecolorable.
The proof that graph threecolorability has such a zeroknowledge interactive proof system can be used to prove
that every language in NP has such a zeroknowledge proof system.
12.2.6 Applications to User Identiﬁcation
Zero knowledge proofs provide a revolutionary new way to realize passwords [104, 83]. The idea is for every user
to store a statement of a theorem in his publicly readable directory, the proof of which only he knows. Upon
login, the user engages in a zeroknowledge proof of the correctness of the theorem. If the proof is convincing,
access permission is granted. This guarantees that even an adversary who overhears the zeroknowledge proof
can not learn enough to gain unauthorized access. This is a novel property which can not be achieved with
traditional password mechanisms. Fiat and Shamir [83] have developed variations on some of the previously
proposed zeroknowledge protocols [104] which are quite eﬃcient and particularly useful for user identiﬁcation
and passwords.
Cryptography: Lecture Notes 227
12.3 Multi Party protocols
In a typical multiparty protocol problem, a number of parties wish to coordinate their activities to achieve
some goal, even though some (suﬃciently small) subset of them may have been corrupted by an adversary. The
protocol should guarantee that the “good” parties are able to achieve the goal even though the corrupted parties
send misleading information or otherwise maliciously misbehave in an attempt to prevent the good parties from
succeeding.
12.3.1 Secret sharing
Secret Sharing protocols were invented independently by Blakley and Shamir [37, 187]. In the multiparty
setting, secret sharing is a fundamental protocol and tool.
The basic idea is protection of privacy of information by distribution. Say you have a key to an important
system. You are afraid you might loose it, so you want to give it to someone else. But no single person can
be trusted with the key. Not just because that person may become untrustworthy, but because the place they
keep the key may be compromised. So the key is shared amongst a bunch of people.
Let’s call the key the secret s. A way to share it amongst ﬁve people is split it up as s = s
1
⊕ ⊕s
5
and give
s
i
to person i. No one person can ﬁgure out s. Even more, no four people can to it: it takes all ﬁve. If they all
get together they can recover s. (Once that is done, they may discard it, ie it may be a one time key! Because
now everyone knows it.)
We call s
i
a share. Who creates the shares? The original holder of s. Sometimes it is one of the n players,
sometimes not. We call this person the dealer.
Notice that s
i
must be given privately to the ith player. If other players see it, then, of course, this doesn’t
work.
We may want something more ﬂexible. Say we have n people. We want that any t + 1 of them can recover the
secret but no t of them can ﬁnd out anything about it, for some parameter t. For example, say n = 5 and t = 2.
Any three of your friends can open your system, but no two of them can. This is better since above if one of
them looses their share, the system can’t be opened.
Shamir’s idea is to use polynomials [187]. Let F be a ﬁnite ﬁeld, like Z
∗
p
. A degree t polynomial is of the form
f(x) = a
0
+ a
1
x + + a
t
x
t
for coeﬃcients a
0
, . . . , a
t
∈ F. It has t + 1 terms, not t! One more term than the
degree. Polynomials have the following nice properties:
Interpolation: Given t + 1 points on the polynomial, namely (x
1
, y
1
), . . . , (x
t+1
, y
t+1
) where x
1
, . . . , x
t=1
are distinct and y
i
= f(x
i
), it is possible to ﬁnd a
0
, . . . , a
t
. The algorithm to do this is called interpolation.
You can ﬁnd it in many books.
Secrecy: Given any t points on the polynomial, namely (x
1
, y
1
), . . . , (x
t
, y
t
) where x
1
, . . . , x
t
are distinct
and y
i
= f(x
i
), one can’t ﬁgure out anything about a
0
. More precisely, for any value v, the number of
polynomials satisfying these t constraints does not depend on v. (In fact there is exactly one of them.)
These makes them a tool for secret sharing. Associate to each player i a point x
i
∈ F, these points being all
distinct. (So [F[ ≥ n). To share secret s, the dealer picks a
1
, . . . , a
t
at random, sets a
0
= s and forms the
polynomial f(x) = a
0
+ a
1
x + + a
t
x
t
. Now he computes s
i
= f(x
i
) and sends this privately to player i.
Now if t +1 players get together they can ﬁgure out f and hence s; any set of at most t players can’t ﬁgure out
anything about s.
12.3.2 Veriﬁable Secret Sharing
Shamir’s scheme suﬀers from two problems. If the dealer of the secret is dishonest, he can give pieces which when
put together do not uniquely deﬁne a secret. Secondly, if some of the players are dishonest, at the reconstruction
stage they may provide other players with diﬀerent pieces than they received and again cause an incorrect secret
to be reconstructed.
228 Goldwasser and Bellare
Chor, Goldwasser, Micali, and Awerbuch [59] have observed the above problems and showed how to achieve
secret sharing based on the intractability of factoring which does not suﬀer from the above problems. They call
the new protocol veriﬁable secret sharing since now every party can verify that the piece of the secret he received
is indeed a proper piece. Their protocol tolerated up to O(log n) colluders. Benaloh [29], and others [99, 82]
showed how to achieve veriﬁable secret sharing if any oneway function exists which tolerates a minority of
colluders. In [28] it has been recently shown how to achieve veriﬁable secret sharing against a third of colluders
using error correcting codes, without making cryptographic assumptions. This was improved to a minority of
colluders in [173].
12.3.3 Anonymous Transactions
Chaum has advocated the use of anonymous transactions as a way of protecting individuals from the mainte
nance by “Big Brother” of a database listing all their transactions, and proposes using digital pseudonyms to do
so. Using pseudonyms, individuals can enter into electronic transactions with assurance that the transactions
can not be later traced to the individual. However, since the individual is anonymous, the other party may wish
assurance that the individual is authorized to enter into the transaction, or is able to pay. [54, 57].
12.3.4 Multiparty PingPong Protocols
One way of demonstrating that a cryptographic protocol is secure is to show that the primitive operations that
each party performs can not be composed to reveal any secret information.
Consider a simple example due to Dolev and Yao [77] involving the use of public keys. Alice sends a message
M to Bob, encrypting it with his public key, so that the ciphertext C is E
B
(M) where E
B
is Bob’s public
encryption key. Then Bob “echos” the message back to Alice, encrypting it with Alice’s public key, so that the
ciphertext returned is C
t
= E
A
(M). This completes the description of the protocol.
Is this secure? Since the message M is encrypted on both trips, it is clearly infeasible for a passive eavesdropper
to learn M. However, an active eavesdropper X can defeat this protocol. Here’s how: the eavesdropper X
overhears the previous conversation, and records the ciphertext C = E
B
(M). Later, X starts up a conversation
with Bob using this protocol, and sends Bob the encrypted message E
B
(M) that he has recorded. Now Bob
dutifully returns to X the ciphertext E
X
(M), which gives X the message M he desires!
The moral is that an adversary may be able to “cut and paste” various pieces of the protocol together to
break the system, where each “piece” is an elementary transaction performed by a legitimate party during the
protocol, or a step that the adversary can perform himself.
It is sometimes possible to prove that a protocol is invulnerable to this style of attack. Dolev and Yao [77]
pioneered this style of proof; additional work was performed by Dolev, Even, and Karp [76], Yao [209], and
Even and Goldreich [80]. In other cases a modiﬁcation of the protocol can eliminate or alleviate the danger; see
[174] as an example of this approach against the danger of an adversary “inserting himself into the middle” of
a publickey exchange protocol.
12.3.5 Multiparty Protocols When Most Parties are Honest
Goldreich, Micali, and Wigderson [99] have shown how to “compile” a protocol designed for honest parties into
one which will still work correctly even if some number less than half of the players try to “cheat”. While the
protocol for the honest parties may involve the disclosure of secrets, at the end of the compiled protocol none
of the parties know any more than what they knew originally, plus whatever information is disclosed as the
“oﬃcial output” of the protocol. Their compiler correctness and privacy is based on the existence of trapdoor
functions.
BenOr, Goldwasser and Wigderson [28] and Chaum, Cr´epeau, and Damg˙ ard [55] go one step further. They
assume secret communication between pairs of users as a primitive. Making no intractability assumption, they
show a “compiler” which, given a description (e.g., a polynomial time algorithm or circuit) of any polynomial
time function f, produces a protocol which always computes the function correctly and guarantees that no
Cryptography: Lecture Notes 229
additional information to the function value is leaked to dishonest players . The “compiler” withstands up
to 1/3 of the parties acting dishonestly in a manner directed by a worstcase unboundedcomputationtime
adversary.
These “master theorems” promise to be very powerful tool in the future design of secure protocols.
12.4 Electronic Elections
Electronic Elections can be considered the typical example of secure multiparty computations. The general
instance of such a problem is that there are m people, each of them with their own private input x
i
and we
want to compute the result of a nary function f over such values, without revealing them.
In the case of electronic elections the parties are the voters, their input a binary value, the function being
computed is just a simple sum and the result is the tally.
In general, these are the properties that we would like our Election Protocols to have:
1. Only authorized voters can vote.
2. No one can vote more than once.
3. Secrecy of votes is maintained.
4. No one can duplicate anyone else’s vote.
5. The tally is computed correctly.
6. Anybody should be able to check 5.
7. The protocol should be faulttolerant, meaning it should be able to work even in the presence of a number
of “bad” parties.
8. It should be impossible to coerce a voter into revealing how she voted (e.g. votebuying)
Usually in in election protocols it is not desirable to involve all the voters V
i
in the computation process. So we
assume that there are n government centers C
1
, . . . , C
n
whose task is to collect votes and compute the tally.
12.4.1 The Merritt Election Protocol
Consider the following scheme by Michael Merritt [147].
Each center C
i
publishes a public key E
i
and keeps secret the corresponding secret key. In order to cast her
vote v
j
, each voter V
j
chooses a random number s
j
and computes,
E
1
(E
2
(. . . E
n
(v
j
, s
j
))) = y
n+1,j
(12.1)
(The need for the second index n + 1 will become clear in a minute, for now it is just irrelevant.)
Now we have the values y’s posted. In order from center C
n
to center C
1
, each center C
i
does the following. For
each y
i+1,j
, C
i
chooses a random value r
i,j
and broadcasts y
i,j
= E
i
(y
i+1,j
, j). The new index j
t
is computed
by taking a random permutation π
i
of the integers [1..n]. That is j
t
= π
i
(j). C
i
keeps the permutation secret.
At the end we have
y
1,j
= E
1
(E
2
(. . . E
n
(y
n+1,j
, r
n,j
) . . . r
2,j
)r
1,j
)
At this point, the veriﬁcation cycle begins. It consists of two rounds of decryption in the order C
1
−→ C
2
. . . −→
C
n
.
The decrypted values are posted and the tally computed by taking the sums of the votes v
j
’s.
(1) and (2) are clearly satisﬁed. (3) is satisﬁed, as even if the votes are revealed, what is kept hidden is the
connection between the vote and the voter who casted it. Indeed in order to reconstruct such link we need to
230 Goldwasser and Bellare
know all the permutations π
i
. (4) is not satisﬁed as voter V
1
can easily copy voter V
2
, by for example casting
the same encrypted string. (5) and (6) are satisﬁed using the random strings: during the ﬁrst decryption rounds
each center checks that his random strings appear in the decrypted values, making sure that all his ciphertexts
are being counted. Also at the end of the second decryption round each voter looks for her string s
j
to make
sure her vote is being counted (choosing a large enough space for the random string should eliminate the risk
of duplicates.) Notice that in order to verify the correctness of the election we need the cooperation of all the
voters (a negative feature especially in large protocols.)
(7) requires a longer discussion. If we are concerned about the secrecy of the votes being lost because of parties
going “bad”, then the protocol is ideal. Indeed even if n −1 of the centers cooperate, they will not be able to
learn who casted what vote. Indeed they need to know all the permutations π
i
. However even if one of the
government agencies fails, by for example crashing, the entire system falls apart. The whole election needs to
be repeated.
(8) is not satisﬁed. Indeed the voter can be forced to reveal both v
j
and s
j
and she tries to lie about the vote
she will be discovered since the declared values will not match the ciphertext y
n+1,j
.
12.4.2 A faulttolerant Election Protocol
In this section we describe a protocol which has the following features
• satisﬁes (4), meaning it will be impossible to copy other people vote (the protocol before did not)
• Does not require the cooperation of each voter to publicly verify the tally (better solution to (6) than the
above)
• introduces faulttolerance: we ﬁx a threshold t and we assume that if there are less than t “bad” centers
the protocol will correctly compute the tally and the secrecy of each vote will be preserved (better solution
to (7) than the above.)
This protocol is still susceptible to coercion (requirement (8)). We will discuss this point at the end.
The ideas behind this approach are due to Josh Benaloh [31]. The protocol described in the following section is
the most eﬃcient one in the literature due to Cramer, Franklin, Schoemakers and Yung [64].
Homomorphic Commitments
Let B be a commitment scheme (a oneway function basically.)
We say that a commitment scheme B is (+, )homomorphic if
B(X +Y ) = B(X) B(Y )
One possible example of such commitment is the following (invented by Pedersen [161]):
DiscreteLog based Homomorphic Commitment: Let p be a prime of the form p = kq +1 and let g, h be
two elements in the subgroup of order q. We assume nobody knows the discrete log in base g of h. To commit
to a number m in [1..q]:
B
a
(m) = g
a
h
m
(12.2)
for a randomly chosen a modulo q. To open the commitment a and m must be revealed.
Notice that this is a (+, )homomorphic commitment as:
B
a1
(m
1
)B
a2
(m
2
) = g
a
1
h
m
1
g
a
2
h
m
2
= g
a
1
+a
2
h
m
1
+m
2
= B
a1+a2
(m
1
+m
2
)
For now on let E be an (+, )homomorphic commitment scheme.
Cryptography: Lecture Notes 231
12.4.3 The protocol
For ease of presentation we will show the protocol in two version. First we assume that there is only one center.
Then we show how to generalize the ideas to the case of many centers.
Vote Casting – 1 center
Assume for now that there is only one center C and let E be his encryption function.
Assuming the votes are either 1 or 1, each voter V
j
encrypts his vote v
j
by computing and posting B
aj
(v
j
) for
a randomly chosen a
j
. V
j
also sends the values a
j
and v
j
to C encrypted.
The voter now must prove that the vote is correct (i.e. it’s the encryption of a 1 or of a 1.) He does this by
performing a zeroknowledge proof of validity.
For the discretelog based homomorphic commitment scheme described above, here is a very eﬃcient protocol.
Let us drop the index j for simplicity.
For v = 1:
1. The voter V chooses at random a, r
1
, d
1
, w
2
modulo q. He posts B
a
(v) = g
a
h and also posts α
1
=
g
r1
(B
a
(v)h)
−d1
, α
2
= g
w2
.
2. The center C sends a random challenge c modulo q
3. The voter V responds as follows: V computes d
2
= c −d
1
and r
2
= w
2
+ad
2
and posts d
1
, d
2
, r
1
, r
2
4. The center C checks that
• d
1
+d
2
= c
• g
r
1
= α
1
(B
a
(v)h)
d
1
• g
r2
= α
2
(B
a
(v)/h)
d2
For v = −1:
1. The voter V chooses at random a, r
2
, d
2
, w
1
modulo q. He posts B
a
(v) = g
a
/h and also posts α
1
= g
w1
,
α
2
= g
r2
(B
a
(v)/h)
−d2
2. The center C sends a random challenge c modulo q
3. The voter V responds as follows: V computes d
1
= c −d
2
and r
1
= w
1
+ad
1
and posts d
1
, d
2
, r
1
, r
2
4. The center C checks that
• d
1
+d
2
= c
• g
r
1
= α
1
(B
a
(v)h)
d
1
• g
r2
= α
2
(B
a
(v)/h)
d2
For now on we will refer to the above protocol as Proof(B
a
(v)).
Tally Computation – 1 center
At the end of the previous phase we were left with B
aj
(v
j
) for each voter V
j
. The center reveals the tally
T =
¸
j
v
j
and also the value A =
¸
j
a
j
. Everybody can check that the tally is correct by performing the
following operation:
B
A
(T) =
¸
j
B
a
j
(v
j
)
which should be true for the correct tally, because of the homomorphic property of B.
The 1center version of the protocol however has the drawback that this center learns everybody’s vote.
232 Goldwasser and Bellare
Vote Casting – n centers
Assume n centers C
1
, . . . , C
n
and let E
i
be the encryption function of C
i
.
In this case voter V
j
encrypts the vote v
j
in the following manner. First he commits to the vote by posting
B
j
= B
a
j
(v
j
)
for a randomly chosen a
j
modulo q. He also proves that this is a correct vote by performing Proof(B
a
j
(v
j
)).
Then he shares the values a
j
and v
j
among the centers using Shamir’s (t, n) threshold secret sharing. That is,
he chooses random polynomials H
j
(X) and A
j
(X) of degree t such that H
j
(0) = v
j
and A
j
(0) = a
j
. Let
R
j
(X) = v
j
+r
1,j
X +. . . +r
t,j
X
t
S
j
(X) = a
j
+s
1,j
X +. . . +s
t,j
X
t
The coeﬃcients are all modulo q.
Now the voter sends the value u
i,j
= R
j
(i) and w
i,j
= S
j
(i) to the center C
i
(encrypted with E
i
.)
Finally he commits to the coeﬃcients of the polynomial H
j
by posting
B
,j
= B
s
,j
(r
,j
)
The centers perform the following check
g
w
i,j
h
u
i,j
= B
j
t
¸
=1
(B
,j
)
i
(12.3)
to make sure that the shares he received encrypted are correct.
Tally counting – n centers
Each center C
i
posts the partial sums:
T
i
=
¸
j
u
i,j
this is the sum of the shares of the votes received by each player.
A
i
=
¸
j
w
i,j
this is the sum of the shares of the random string a
j
used to commit to the vote by each player.
Anybody can check that the center is revealing the right stuﬀ by using the homomorphic property of the
commitment scheme B. Indeed it must hold that
g
Ai
h
Ti
=
m
¸
j=1
B
j
t
¸
=1
(B
,j
)
j
(12.4)
Notices that the correct T
i
’s are shares of the tally T in a (t, n) Shamir’s secret sharing scheme. So it is enough
to take t + 1 of them to interpolate the tally.
Notice: Equations (12.3) and (12.4) are valid only under the assumption that nobody knows the discrete log
in base g of h. Indeed who knows some value can open the commitment B in both ways and so reveal incorrect
values that satisﬁes such equations.
Analysis: Let’s go through the properties one by one. (1) and (2) are clearly satisﬁed. (3) is satisﬁed assuming
that at most t centers can cooperate to learn the vote. If t + 1 centers cooperate, then the privacy of the votes
is lost. (4) is true for the following reason: assume that V
1
is trying to copy the action of V
2
. When it comes
Cryptography: Lecture Notes 233
to the point of proving the correctness of the vote (i.e. perform Proof(B)), V
1
will probably receive a diﬀerent
challenge c than V
2
. He will not be able to answer it and he will be eliminated from the election. (5) is true
under the discretelog assumption (see note above.) (6) is true as anybody can check on the the ZK proofs and
Equations (12.3) and (12.4). (7) is true as we need only t + 1 good centers to reconstruct the tally.
It is easy to see that because we need t +1 good centers and at most t centers can be bad, the maximum number
of corrupted centers being tolerated by the protocol is
n
2
−1.
(8) is not satisﬁed. This is because somebody could be coerced into revealing both a and v when posting the
commitment B
a
(v).
12.4.4 Uncoercibility
The problem of coercion of voters is probably the most complicated one. What exactly does it mean? In how
many ways can a coercer, try to force a voter to cast a given vote.
Let’s try to simplify the problem. We will consider two possible kinds of coercer. One who contacts the voter
before the election starts and one who contacts the voter after the election is concluded.
The “before” coercer has a greater power. He can tell the voter what vote to cast and also what randomness to
use during the protocol. This basically would amount to ﬁx the behavior of the voter during the protocol. If the
voter does not obey, it will be easy for the coercer to detect such occurrence. There have been some solutions
proposed to this problem that use some form of physical assumption. For example one could allow the voter to
exchange a limited number of bits over a secure channel with the voting centers [30, 181]. This would hopefully
prevent the coercer from noticing that the voter is not following his instructions. Or one could force the voter
to use some tamperproof device that encrypts messages for him, choosing the randomness. This would prevent
the coercer from forcing the user to use some ﬁxed coin tosses as the user has no control on what coins the
tamperproof device is going to generate.
The “after” coercer has a smaller power. He can only go to the voter and ask to see the vote v and the
randomness ρ used by the voter during the protocol. Maybe there could be a way for the voter to construct
diﬀerent v
t
and ρ
t
that “match” his execution of the protocol. This is not possible in the protocol above (unless
the voter solves the discrete log problem.) Recently however a protocol for this purpose has been proposed by
Canetti and Gennaro [51]. They use a new tool called deniable encryption (invented by Canetti, Dwork, Naor
and Ostrovsky [50]), which is a new form of public key probabilistic encryption E with the following property.
Let m be the message and r the coin tosses of the sender. The sender computes the ciphertext c = E
r
(m).
After if somebody approaches him and asks for the value of m, the sender will be able to produce m
t
and r
t
such that E
r
(m
t
) = c.
12.5 Digital Cash
The primary means of making monetary transactions on the Internet today is by sending credit card information
or establishing an account with a vendor ahead of time.
The major opposition to credit card based Internet shopping is that it is not anonymous. Indeed it is susceptible
to monitoring, since the identity of the customer is established every time he/she makes a purchase. In real
life we have the alternative to use cash whenever we want to buy something without establishing our identity.
The term digital cash describes cryptographic techniques and protocols that aim to recreate the concept of
cashbased shopping over the Internet.
First we will describe a general approach to digital cash based on publickey cryptography. This approach was
originally suggested by David Chaum [54]. Schemes based on such approach achieve the anonymity property.
12.5.1 Required properties for Digital Cash
The properties that one would like to have from Digital Cash schemes, are at least the following:
234 Goldwasser and Bellare
• forgery is hard
• duplication should be either prevented or detected
• preserve customers’ anonymity
• minimize online operations on large database
12.5.2 A FirstTry Protocol
A Digital Cash scheme consists usually of three protocols. The withdrawal protocol which allows a Userto
obtain a digital coin from the Bank. A payment protocol during which the Userbuys goods from a Vendorin
exchange of the digital coin. And ﬁnally a deposit protocol where the Vendorgives back the coin to the Bankto
be credited on his/her account.
In the protocol below we assume that the Bankhas a secret key SK
B
to sign messages and that the corresponding
public key PK
B
is known to everybody else. With the notation ¦M¦
SK
we denote the message M together
with its signature under key SK.
Let’s look at this possible digital cash protocol.
Withdrawal Protocol:
1. Usertells Bankshe would like to withdraw $100.
2. Bankreturns a $100 bill which looks like this:
¦I am a $100 bill, #4527)¦
SK
B
and withdraws $100 from Useraccount
3. Userchecks the signature and if it is valid accepts the bill
Payment Protocol:
1. The Userpays the Vendorwith the bill.
2. The Vendorchecks the signature and if it’s valid accepts the bill.
Deposit Protocol:
1. The Vendorgives the bill to the Bank
2. The Bankchecks the signature and if it’s valid, credits the Vendor’s account.
Given some suitable assumption on the security of the signature scheme, it is clear that it is impossible to forge
digital coins. However it is very easy to duplicate and doublespend the same digital coin several times. It
is also cleat that anonymity is not preserved as the Bankcan link the name of the Userwith the serial number
appearing on the bill and know where the Userspent the coin.
12.5.3 Blind signatures
Let’s try to solve the anonymity problem ﬁrst. This approach involves —em blind signatures. The user presents
the bank with a bill inside a container. The bank signs the bill without seeing the contents of the bill. This
way, the bank cannot determine the source of a bill when a merchant presents it for deposit.
A useful analogy: The user covers a check with a piece of carbon paper and then seals both of them inside
an envelope. The user gives the envelope to the bank. The bank then signs the outside of the envelope with a
Cryptography: Lecture Notes 235
ballpoint pen and returns the envelope to the user (without opening it  acutally the bank is unable to open
the envelope in the digital version). The user then removes the signed check from the envelope and can spend
it. The bank has never seen what it signed, so it cannot associate it with the user when it is returned to be
deposited, but it can verify the signature on the check and thus guarantee the validity of the check.
There is, of course, a problem with this: The bank can be fooled into signing phony bills. For example, a
user could tell the bank he’s making a $1 withdrawal and then present a $100 bill to be signed. The bank will,
unknowingly, sign the $100 bill and allow the user to cheat the bank out of $99. We will deal with this problem
later, for now let us show how to construct blind signatures.
12.5.4 RSA blind signatures
Recall the RSA signature scheme: if M is the message to be signed, then its signature is s = M
e
−1
mod n where
n and e are publicly known values. The secret information that the bank possesses is the inverse of e mod φ(n),
which we will denote by d. The signature can be veriﬁed by calculating s
e
mod n and verifying that it is equal
to M mod n.
In the case of blind signatures, the Userwants the Bankto provide him with s, without revealing M to the bank.
Here is a possible anonymous withdrawal protocol. Let M be a $100 bill.
Withdrawal Protocol:
1. Userchooses some random number, r mod n.
2. Usercalculates M
t
= M r
e
mod n.
3. Usergives the BankM.
4. The Bankreturns a signature for M
t
, say s
t
= (M
t
)
d
mod n. Note that
s
t
= (M
t
)
d
= M
d
(r
e
)
d
= M
d
r
5. The Bankdebits the Useraccount for $100.
6. Since the Userknows r, he can divide s
t
by r to obtain
s = M
d
The payment and deposit protocol remain the same as above. This solves the problem of preserving the
Useranonymity, as when the coin comes back to the Bankthere is no link between it and the Userit was issued
to.
We still have two problems.
1. The bank can still be fooled into signing something that it shouldn’t (like a $100 bill that it thinks is a